Refine search

Reports

6 May 2022

Published

Transport 2021

Transport

Asset valuation

Compliance

Financial reporting

Information technology

Infrastructure

Internal controls and governance

What the report is about

The results of the Transport cluster agencies’ financial statement audits for the year ended 30 June 2021.

What we found

Unmodified financial statement audit opinions were issued for all Transport cluster agencies. Resolution of issues delayed signing the Transport Asset Holding Entity of NSW (TAHE) until 24 December 2021. Matters relating to TAHE are also reported in the report on State Finances 2021.

Emphasis of Matter - TAHE

An Emphasis of Matter paragraph was included in TAHE's audit opinion to draw attention to uncertainty associated with:

future access and licence fees that are subject to re-signed agreements
an additional $4.1 billion of funding that is outside the forward estimates period
a significant portion of the fair value of TAHE’s non-financial assets is reflected in the terminal value, which is outside the ten-year contract period to 30 June 2031, and the risk that TAHE will not be able to negotiate contract terms to support current projections.

TAHE's transition from RailCorp also changed its valuation of assets to an income approach, resulting in a $20.3 billion decrease to the fair value. The fair value decrease was because the cash flows were not sufficient to support the previous recorded value.

TAHE corrected a misstatement of $1.2 billion relating to the valuation of its assets. This followed significant deliberation on key judgements and assumptions, with TAHE adopting risk assumptions in its valuation that were not in line with comparable benchmarks.

Emphasis of Matter - State Transit Authority of New South Wales

An Emphasis of Matter paragraph was included in the State Transit Authority of NSW's (the Authority) audit opinion to draw attention to the financial statements not prepared on a going concern basis. This was because the NSW Government put the Authority's bus contracts out to competitive tender and accordingly, management assessed the Authority's principal activities are not expected to operate for a full 12 months after 30 June 2021.

The implementation of AASB 1059 ‘Service Concession Arrangements: Grantors’ resulted in a net increase in assets of $23.5 billion across the Transport cluster.

The 2020–21 audits identified six high-risk and 45 moderate risk issues across the cluster. Fourteen of the moderate risk issues were repeat issues, including information technology controls around management of user access for key financial systems and payroll processes.

The high-risk issues, in addition to those related to TAHE and previously reported in the report on State Finances 2021, include:

absence of conflict of declarations related to land acquisition processes at Transport for NSW
no evidence of conflict of interest declarations obtained by TAHE from consultants and contractors regarding involvement in other engagements.

What we recommended

TAHE needs to:

finalise revised commercial agreements to reflect fees detailed in a Heads of Agreement signed on 18 December 2021
prepare robust projections and business plans to support the required rate of return.

NSW Treasury and TAHE should monitor the risk that control of TAHE assets could change in the future.

Transport for NSW needs to significantly improve its processes to ensure all key information is identified and shared with the Audit Office.

Transport agencies should implement a process to ensure conflicts of interest declarations are completed for land acquisitions and applied consistently across the cluster.

Transport agencies should implement a process to capture all contracts and agreements entered to ensure:

agencies are aware of contractual obligations
financial reporting implications are assessed, particularly with respect to leases, revenue and service concession arrangements.

Fast facts

The Transport cluster plans and delivers infrastructure and integrated services across all modes of transport. This includes road, rail, bus, ferry, light rail, cycling and walking. There are 11 agencies in the cluster.

$128b road and maritime system infrastructure assets as at 30 June 2021
100% unqualified audit opinions were issued on agencies 30 June 2021 financial statements
26 monetary misstatements were reported in 2020–21
$24.9b rail systems infrastructure assets as at 30 June 2021
6 high-risk management letter findings were identified
37% of reported issues were repeat issues

This report provides Parliament and other users of the transport cluster (the cluster) agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the cluster for 2021.

Section highlights

Unqualified audit opinions were issued on all Transport agencies' financial statements.
An 'Emphasis of Matter' paragraph was included in the Transport Asset Holding Entity of New South Wales' (TAHE) Independent Auditor's Report to draw attention to significant uncertainty associated with the judgements, estimates and assumptions supporting the valuation of TAHE’s property, plant and equipment (PPE) and intangible assets.
In 2020–21, the former RailCorp transitioned to TAHE, a for-profit state-owned corporation. When TAHE became a for-profit entity, it was required to change its valuation approach. The value of a for-profit entity's assets cannot exceed the cash flows they might realise either through their sale or continued use. This change in the basis of valuation resulted in a decrease of $20.3 billion in the fair value of the assets. The decrease in fair value was because the cash flows, which support measurement under the income approach, were insufficient to support the previous valuation based on the current replacement cost of those assets.
TAHE also corrected a misstatement of $1.2 billion relating to the valuation of its assets after significant deliberation on key judgements and assumptions, with TAHE adopting higher risk assumptions in its valuation when compared to the relevant market benchmarks.
On 18 December 2021, a Heads of Agreement (HoA) was signed between TAHE, Transport for NSW, Sydney Trains and NSW Trains. This HoA reflected TAHE's intention to negotiate higher access and licence fees in order to meet the shareholding ministers' revised expectation of a higher rate of return. This matter resolved the treatment of a significant accounting issue in the State’s consolidated (whole-of-government) financial statements. Refer to the Report on State Finances tabled on 9 February 2022. The expectation of an additional $5.2 billion in fees added to the valuation of TAHE's PPE and intangibles, with a final value of $17.15 billion.
The implementation of AASB 1059 ‘Service Concession Arrangements: Grantors’ resulted in a net increase in assets of $23.5 billion across the cluster. AASB 1059 had a significant impact on Transport for NSW, Sydney Metro, Sydney Ferries and TAHE's 2020–21 financial statements.
TAHE corrected a misstatement of $97.2 million relating to the application of AASB 1059 'Service Concession Arrangements: Grantors' for the Airport Link Company Contract.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the cluster.

Section highlights

The number of findings reported to management increased from 56 in 2019–20 to 73 in 2020–21.
Thirty-seven per cent were repeat findings. Many repeat issues related to information technology controls around user access management and payroll processes. These included deficiencies in the monitoring of privileged user access to key financial systems, review of user access to key financial systems and segregation of duties between preparer and reviewer for new employee hires.
Six new high-risk issues were identified in 2020–21, an increase of three compared to last year.
One high-risk issue related to conflicts of interests not being declared by all officers involved in the land acquisition process at Transport for NSW.
Five high-risk issues arose from the audit of TAHE, with respect to:
- control over TAHE assets and operations
- asset valuations
- access price build up
- detailed business modelling to support returns
- conflict of interest management.
Based on the access and licence agreements signed at 30 June 2021 between TAHE, Sydney Trains and NSW Trains, our review of the expected returns calculated by NSW Treasury did not support the assumption that there was a reasonable expectation that a sufficient rate of return could be achieved from the NSW Government's investment in TAHE.
On 14 December 2021 the shareholding ministers' increased their expectations as to TAHE's target average return from 1.5 per cent to the expected long-term inflation rate of 2.5 per cent.
On 18 December 2021 the revised shareholder expectations were confirmed in a signed Heads of Agreement. The Heads of Agreement will increase access fees paid by rail operators to TAHE by $5.2 billion.
TAHE's access and licence agreements specified fees that were well short of the IPART regulated maximum (ceiling price).
The finalisation of the access and licence agreements with Sydney Trains and NSW Trains resulted in a significant write-down of TAHE's asset value by $20.3 billion. The revaluation loss will need to be recovered as part of the shareholders’ rate of return of 2.5 per cent in order to sustain the whole-of-government accounting treatment of cash contributions recorded as an equity contribution and not a grant expense.
There was a significant adjustment to TAHE’s valuation between the financial statements originally submitted for the audit and the final, signed financial statements due to differences in risk assumptions resulting in a correction of a $1.2 billion misstatement.

Findings reported to management

The number of findings reported to management has increased, and 37 per cent of all issues were repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 73 findings raised across the cluster (56 in 2019–20) and 37 per cent of all issues were repeat issues (43 per cent in 2019–20).

In view of the recent performance audit ‘Managing Cyber Risks’ and compliance audit ‘Compliance with the NSW Cyber Security Policy’ involving the cluster, it is noted with concern that the most common repeat issues related to weaknesses in controls over information technology user access administration and password management. Moderate risk issues included completeness and accuracy of contract registers, accounting for assets and management of supplier and payroll masterfiles.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports, and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Control deficiencies may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation, and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating.

Risk rating	Issue
Information technology
Moderate: 7 new, 4 repeat**	The financial audits identified opportunities for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of particular concern are issues associated with: monitoring of privileged user access user access management password configuration management.
Low: 4 new, 1 repeat***
Internal control deficiencies or improvements
High: 1 new*	The financial audits identified internal control deficiencies across key business processes, including: declarations of conflicts of interest over land acquisitions (see further details below) management of contracts and agreement register accounting for assets management of payroll and supplier masterfiles payroll processes.
Moderate: 15 new, 8 repeat**
Low: 2 new, 5 repeat***
Financial reporting
High: 3 new*	The financial audits identified opportunities for agencies to strengthen financial reporting, including: asset valuations (see further details below) detailed business modelling to support returns (see further details below) access price build-up (see further details below) timely capitalisation of completed assets.
Moderate: 3 new, 1 repeat**
Low: 2 new***
Governance and oversight
High: 1 new*	The financial audits identified opportunities for agencies to improve governance and oversight processes, including: control over TAHE assets and operations governance over Cyber Security.
Moderate: 2 new**
Non-compliance with key legislation and/or central agency policies
High: 1 new*	The financial audits identified the need for agencies to improve its compliance with key legislation and central agency policies, including: conflict of interest (COI) management outdated policies and procedures incomplete probation procedures.
Moderate: 4 new, 1 repeat**
Low: 1 new, 7 repeat***

* High-risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
** Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
*** Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
Note: Management letter findings are based either on final management letters issued to agencies.

2020–21 audits identified six high-risk findings

High-risk findings were reported at the following cluster agencies.

Agency	Description
2020–21 findings
Transport for NSW (new finding)	Declaration of conflicts of interest in the land acquisition process In 2021, we conducted a performance audit over the Acquisition of 4–6 Grand Avenue, Camellia which examined: whether Transport for NSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia whether Transport for NSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects. The report made several recommendations over Transport for NSW’s internal policies and procedures to guide the land acquisition process. As part of the financial audit, we obtained an understanding of key controls and processes relating to the acquisition of land, relevant to the audit of the financial statements. We found that conflicts of interests were not always declared by all officers involved in the land acquisition process. Furthermore, processes for declaring conflicts of interests are not consistently applied across cluster agencies. Out of a sample of 19 land acquisitions tested, we identified: 14 instances where there was no evidence of declarations of conflicts of interests made by the team members involved in the acquisition process 2 instances where conflicts of interest declarations were completed by key members of the acquisition team only at a project level 1 instance where conflicts of interest declarations were only completed by the property negotiator and the valuer, but not the other members of the acquisition team. Management advised that the land acquisition processes, at the time of the land acquisitions, did not require formal conflicts of interests to be declared as they believe that as per Transport for NSW code of conduct, declaration is only required where the staff member considers that a potential or perceived Conflict of Interest exists. However, Transport for NSW's Procurement Policy requires the documentation of formal declarations from all staff involved in procurement activities to formally disclose any conflicts of interest or state that they do not have a conflict of interest. This matter has been included as a high-risk finding in the management letter as absence of rigorous and consistent management of conflicts of interests, and non-compliance with established policies increases the risk that Transport for NSW may be exposed to reputational damage or financial losses in relation to land acquisitions. Furthermore, this may result in lack of probity or value-for money considerations during the land acquisition process. Further details are elaborated below under 'Land acquisitions'.
Transport Asset Holding Entity of New South Wales (new finding)	Control over TAHE assets and operations The State-Owned Corporations Act 1989 maintains that all decisions relating to the operation of a statutory state-owned corporation (SOC) are to be made by or under the authority of the board. However, under the Transport Administration Act 1988 (TAA), the functions of TAHE may only be exercised under one or more operating licences issued by the portfolio minister. The current Operating Licence confers terms and conditions for TAHE to carry out its functions, and imposes constraints on TAHE, including (but not limited to): railway operations not permitted transport services not permitted TAHE must not carry out maintenance of its assets. Such operating licences are short term in nature, and the TAA allows the transport minister (portfolio minister) to grant one or more operating licences to TAHE and may amend, substitute, or impose, amend or revoke conditions of the operating licence. For the current year, the legal form of the arrangements established in its first year of operation imply TAHE has control over the assets based on the Implementation Deed and the agreements signed with the public operators. However, risks remain as TAHE is in its early stages, and the actual substance of operations will need to be observed and considered. Given the restrictions that can be placed on the entity through the Operating Licence, and the ability to make further changes to the Operating Licence and Statement of Expectations set by the portfolio minister, there is a risk there could be limitations placed on the Board of Directors to operate with sufficient independence in its decision-making with respect to the operations of TAHE. Over time, this may further impact the degree of control required by TAHE to satisfy the recognition criteria over its assets. It may also fundamentally change the presentation of TAHE’s financial statements. Future limitations to the degree of control TAHE, and its Board, can exercise over its functions may impact the degree of control TAHE has over its assets going forward. As part of the 2021–22 audit, we will monitor and assess whether, in substance, these assets continue to be controlled by TAHE and whether, in substance, TAHE can operate as an independent SOC. We require management continue to demonstrate that TAHE continues to maintain control over its assets and has the ability to operate as an independent SOC. Further details are described below under 'Transport Asset Holding Entity'.
Transport Asset Holding Entity of New South Wales (new finding)	Asset valuation The final updated valuation was based on cash flows that were in a signed Heads of Agreement, which stated that it set out the proposed indicative future access and licence fees which will form the basis of the negotiations between TAHE, Transport for NSW, Sydney Trains and NSW Trains, who will work together to review access fees and licence fees payable under the agreements and to make all necessary changes to the Operating Agreements by 1 July 2022. This adds uncertainty in the cash flows. It is crucial that TAHE formalises these updated fees in legally binding signed access and licence agreements with the relevant parties as soon as possible. Refer below for further details on the Heads of Agreement.
Transport Asset Holding Entity of New South Wales (new finding)	Conflict of interest (COI) management For procurement transactions through direct negotiation with single quotes, there was no evidence of COI declarations obtained from the consultants and contractors regarding involvement in other engagements. Contractors and consultants are required to declare actual COI. However, there was no requirement to confirm nil conflict of interest. In addition, there is a risk that perceived COI may not be adequately assessed or managed. TAHE is expected to operate as an independent SOC and would need to ensure any perceived or actual conflict of interest is adequately addressed. Management should implement a process to: ensure conflicts of interest declarations are completed when engaging all consultants and contractors (including involvement with other engagements and confirmation of nil conflicts of interests) ensure probity is undertaken to identify any actual or perceived conflicts of interest. The declarations should consider individuals and relationships that may create, or may be perceived to create, conflicts of interest.
Transport Asset Holding Entity of New South Wales (new finding)	Detailed business modelling to support returns On 18 December 2021, Transport for NSW, TAHE and the operators, Sydney Trains and NSW Trains entered into a Heads of Agreement (HoA). This HoA forms the basis of negotiations to revise the pricing within the existing 10-year contracts and deliver upon the shareholders' expectation of a return of 2.5 per cent per annum of contributed equity, including recovering the revaluation loss incurred in 2020–21. TAHE needs to revise its business plan and include detailed business modelling that supports the shareholding ministers' revised expectations of return (2.5 per cent return on the State’s equity injections and recovery of the write-down of assets over the average useful life of those assets) and align the business plan and Statement of Corporate Intent. This requires more detailed projections, estimates and plans that support how TAHE expects to recover the asset write-down and expected returns to government. The current modelling for ten years needs to be enhanced with modelling over the expected recovery period of approximately 33 years.
Transport Asset Holding Entity of New South Wales (new finding)	Access price build-up Management explained that in determining access and licence fees for the agreements with Sydney Trains and NSW Trains, assets prior to the commencement of equity injections in 2015–16 were excluded from the calculations. Management explained the premise being that these assets were previously funded by government through capital grants. The replacement and refurbishment of these assets is expected to be through government funded maintenance performed through the public rail operators and/or the equity injections from NSW Treasury rather than through access and licence fees.

The number of moderate risk findings increased from prior year

Forty-five moderate risk findings were reported in 2020–21, representing a 73.1 per cent increase from 2019–20. Of these, 14 were repeat findings, and 31 were new issues.

Key moderate risk findings related to:

weaknesses in user access management to key financial systems
management of contracts and agreements register
management of supplier and payroll masterfiles
accounting for assets
control deficiencies at service organisations
segregation of duties relating to the hiring of employees
conflict of interest management
annual leave management
review of internal audit charter
disaster recovery planning.

Transport Asset Holding Entity of New South Wales

Background

The establishment of TAHE was originally announced by the NSW Government in the 2015–16 State Budget. On 1 July 2020, the former Rail Corporation New South Wales (RailCorp), a not-for-profit entity, transitioned to the Transport Asset Holding Entity of New South Wales (TAHE), a for-profit statutory state-owned corporation under the Transport Administration Act 1988. There was no change in the structure of TAHE as a new entity was not created. Ownership remains fully with the government. TAHE, and the former RailCorp, were both classified as Public Non-Financial Corporation (PNFC) entities within the Total State Sector Accounts.

Prior to 1 July 2015, the government paid appropriations to Transport for NSW, a General Government Sector (GGS) agency, to construct transport assets. When completed, these assets were granted to the former RailCorp, a not for-profit entity within the PNFC sector. The grants to the former RailCorp were recorded as an expense in the State’s GGS budget result.

From 1 July 2015, the government announced the creation of TAHE (a dedicated asset manager). Funding for new capital projects was to be provided through equity injections and was no longer recorded as an expense to the GGS budget, even though the business model was yet to be determined. The change, as explained in the 2015–16 State Budget, was due to the expectation that the former RailCorp will transition to TAHE, which was intended, over time to provide a commercial return. That Budget also highlighted how the change, which was largely a change in the basis of accounting, was intended to improve the GGS budget result each year. In total, the GGS has contributed approximately $11.1 billion to TAHE since 2015–16. This includes the equity injections from the GGS to TAHE made in the current year of $2.4 billion.

NSW Treasury initially set a timetable for the stand-up of TAHE of 1 July 2019, which included finalising the business model, operating model and contracts for the use of TAHE's assets. The enactment of the Transport Administration Act 1988 resulted in RailCorp transitioning to TAHE on 1 July 2020, 12 months after its originally planned operational date. Contributions paid to the former RailCorp and subsequently to TAHE by the GGS were treated as equity investments from July 2015 forward. This treatment continued, despite delays in settling the business model. In 2020, the Audit Office raised a high-risk finding due to the significance of the financial reporting impacts and business risks for NSW Treasury and TAHE.

The business model adopted and the flow of funds between transport agencies in the GGS and PNFC sectors is shown in the diagram below. For further details refer to the Report on State Finances 2021.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

28 April 2022

Published

Facilitating and administering Aboriginal land claim processes

Planning

Environment

Industry

Local Government

Premier and Cabinet

Whole of Government

Cross-agency collaboration

Compliance

Management and administration

What the report is about

The Aboriginal Land Rights Act 1983 (NSW) (the Act) provides land rights over certain Crown land for Aboriginal Land Councils in NSW.

If a claim is made over Crown land (land owned and managed by government) and meets other criteria under the Act, ownership of that land is to be transferred to the Aboriginal Land Council.

This process is intended to provide compensation for the dispossession of land from Aboriginal people in NSW. It is a different process to the recognition of native title rights under Commonwealth law.

We examined whether relevant agencies are effectively facilitating and administering Aboriginal land claim processes. The relevant agencies are:

Department of Premier and Cabinet (DPC)
Department of Planning and Environment (DPE)
NSW Aboriginal Land Council (NSWALC).

We consulted with Local Aboriginal Land Councils (LALCs) and other Aboriginal community representative groups to hear about their experiences.

What we found

Neither DPC nor DPE have established the resources required for the NSW Government to deliver Aboriginal land claim processes in a coordinated way, and which transparently commits to the requirements and intent of the Act.

Delays in determining land claims result in Aboriginal Land Councils being denied the opportunity to realise their statutory right to certain Crown land. Delays also create risks due to uncertainty around the ownership, use and development of Crown land.

DPC has not established governance arrangements to ensure accountability for outcomes under the Act, and effective risk management.

DPE lacks clear performance measures for the timely and transparent delivery of its claim assessment functions. DPE also lacks a well-defined framework for prioritising assessments.

LALCs have concerns about delays, and lack of transparency in the process.

Reviews since at least 2014 have recommended actions to address numerous issues and improve outcomes, but limited progress has been made.

The database used by DPC (Office of the Registrar) for the statutory register of land claims has not been upgraded or fully validated since the 1990s.

In 2020, DPE identified the transfer of claimable Crown land to LALCs to enable economic and cultural outcomes as a strategic priority. DPE has some activities underway to do this, and to improve how it engages with Aboriginal Land Councils – but DPE still lacks a clear, resourced strategy to process over 38,000 undetermined claims within a reasonable time.

What we recommended

In summary:

DPC should lead strategic governance to oversee a resourced, coordinated program that is accountable for delivering Aboriginal land claim processes
DPE should implement a resourced, ten-year plan that increases the rate of claim processing, and includes an initial focus on land grants
DPE and DPC should jointly establish operational arrangements to deliver a coordinated interagency program for land claim processes
DPC should plan an interagency, land claim spatial information system, and the Office of the Registrar should remediate and upgrade the statutory land claims register
DPC and NSWALC should implement an education program (for state agencies and the local government sector) about the Act and its operations
DPE should implement a five-year workforce development strategy for its land claim assessment function
DPE should finalise updates to its land claim assessment procedures
DPE should enhance information sharing with Aboriginal Land Councils to inform their claim making
NSWALC should enhance information sharing and other supports to LALCs to inform their claim making and build capacity.

Fast facts

53,800 the number of claims lodged since the Act was introduced in 1983
38,200 the number of claims awaiting DPE assessment and determination (about 70 per cent of all claims lodged)
207 the number of claims granted by DPE in six months to December 2021
120 LALCs, and the NSWALC, have the right to make a claim and have it determined
+5 years around 60 per cent of claims have been awaiting determination for more than five years
22 years the time it will take DPE to determine existing claims, based on current targets

The return of land under the Aboriginal Land Rights Act 1983 (NSW) (the Act) is intended to provide compensation for the dispossession of land from Aboriginal people in New South Wales. A claim on Crown land¹ made by an Aboriginal Land Council that meets criteria under the Act is to be transferred to the claimant council as freehold title. The 2021 statutory review of the Act recognises the spiritual, social, cultural and economic importance of land to Aboriginal people.

The Minister for Aboriginal Affairs administers the Act, with support from Aboriginal Affairs NSW (AANSW) in the Department of Premier and Cabinet (DPC). AANSW also leads the delivery of Opportunity, Choice, Healing, Responsibility and Empowerment (OCHRE), the NSW Government's plan for Aboriginal affairs, and assists the Minister to implement the National Agreement on Closing the Gap – which includes a target for increasing the area of land covered by Aboriginal and Torres Strait Islander people's legal rights or interests.

The Act gives responsibility for registering land claims to an independent statutory officer, the Registrar of the Aboriginal Land Rights Act (the Registrar), whose functions are supported by the Office of the Registrar (ORALRA) which is resourced by AANSW.²

The Land and Environment Court of New South Wales has stated that there is an implied obligation for land claims to be determined within a reasonable time. The Minister administering the Crown Land Management Act 2016 (NSW) is responsible for determining land claims. This function is supported by the Department of Planning and Environment (DPE),³ whose staff assess and recommend claims for determination based on the criteria under section 36(1) of the Act. There is also a mechanism under the Act for land claims to be negotiated in good faith through an Aboriginal Land Agreement.

The NSW Aboriginal Land Council (NSWALC) is a statutory corporation constituted under the Act with a mandate to provide for the development of land rights for Aboriginal people in NSW, in conjunction with the network of 120 Local Aboriginal Land Councils (LALCs). LALCs are constituted over specific areas to represent Aboriginal communities across NSW. Both NSWALC and LALCs can make land claims.

DPC and DPE are responsible for governance and, in partnership with NSWALC, operational and information-sharing activities that are required to coordinate Aboriginal land claim processes. LALCs, statutory officers, government agencies, local councils, and other parties need to be engaged so that these processes are coordinated effectively and managed in a way that is consistent with the intent of the Act, and other legislative requirements.

The first land claim was lodged in 1983. The number of undetermined land claims has increased over time, and at 31 December 2021 DPE data shows 38,257 undetermined claims.

The issue of undetermined land claims has been publicly reported by the Audit Office since 2007. Recommendations to agencies to better facilitate processes and improve how functions are administered have been made in multiple reviews, including two Parliamentary inquiries in 2016.

The objective of this audit was to assess whether relevant agencies are effectively facilitating and administering Aboriginal land claim processes. In making this assessment, we considered whether:

agencies (DPE, DPC (AANSW and ORALRA) and NSWALC) coordinate information and activities to effectively facilitate Aboriginal land claim processes
agencies (DPE and DPC (ORALRA)) are effectively administering their roles in the Aboriginal land claim process.

We consulted with LALCs to hear about their experiences and priorities with respect to Aboriginal land claim processes and related outcomes. We have aimed to incorporate their insights into our understanding of their expectations of government with respect to delivering requirements, facilitating processes, and identifying opportunities for improved outcomes.

Conclusion

The Department of Premier and Cabinet (DPC) and the Department of Planning and Environment (DPE) are not effectively facilitating or administering Aboriginal land claim processes. Neither agency has established the resources required for the NSW Government to operate a coordinated program of activities to deliver land claim processes in a way that transparently commits to the requirements and intent of the Aboriginal Land Rights Act 1983 (NSW) (the Act). Arrangements to engage the NSW Aboriginal Land Council (NSWALC) in these activities have not been clearly defined.

There are more than 38,000 undetermined land claims that cover approximately 1.12 million hectares of Crown land. As such, DPE has not been meeting its statutory requirement to determine land claims nor its obligation to do so within a reasonable time. Over 60 per cent of these claims were lodged with the Registrar of the Aboriginal Land Rights Act, for DPE to determine, more than five years ago.

DPE’s Aboriginal Outcomes Strategy 2020–23 identifies transferring claimable Crown land to Local Aboriginal Land Councils (LALCs) as a priority to enable economic and cultural outcomes. Since mid-2020 DPE has largely focused on supporting LALCs to identify priority land claims for assessment and on negotiating Aboriginal Land Agreements. This work may support the compensatory intent of the Act but is in its early stages and is unlikely to increase the pace at which land claims are determined. Based on current targets, it will take DPE around 22 years to process existing undetermined land claims.

Delays in processing land claims result in Aboriginal Land Councils being denied the opportunity to realise their statutory right to certain Crown land in NSW. The intent of the Act to provide compensation to Aboriginal people for the dispossession of land has been significantly constrained over time.

Since 2014, numerous reviews have made recommendations to agencies to address systemic issues, improve processes, and enhance outcomes: but DPC and DPE have made limited progress with implementing these. Awareness of the intent and operations of the Act was often poor among staff from some State government agencies and local government representatives we interviewed for the audit.

DPC has not established culturally informed, interagency governance to effectively oversee Aboriginal land claim processes – and ensure accountability for outcomes consistent with the intent of the Act, informed by the expectations of the NSWALC and LALCs. Such governance has not existed since at least 2017 (the audited period) and we have not seen evidence earlier. DPE still does not have performance indicators for its land claim assessment function that are based on a clear analysis of resources, that demonstrate alignment to defined outcomes, and which are reported routinely to key stakeholders, including NSWALC and LALCs.

LALCs have raised strong concerns during our consultations, describing delays in the land claim process and the number of undetermined land claims as disrespectful. LALCs have also noted a lack of transparency in, and opportunity to engage with, Aboriginal land claim processes. DPE’s role in assessing Aboriginal land claims, and identifying opportunities for Aboriginal Land Agreements, requires specific expertise, evidence gathering and an understanding of the complex interaction between the Act and other legislative frameworks, including the Native Title Act 1993 (Cth) and the Crown Land Management Act 2016 (NSW). In mid-2020, DPE created an Aboriginal Land Strategy Directorate within its Crown lands division, increased staffing in land claim assessment functions, and set a target to increase the number of land claims to be granted in 2021–22. In the six months to December 2021, DPE granted more land claims (207 claims) than in most years prior. DPE has also assisted some LALCs to identify priority land claims for assessment.

But the overall number of claims processed per year remains well below the historical (five-year) average number of claims lodged (2,506 claims). As such, DPE has not yet established an appropriately resourced workforce to assess the large number of undetermined land claims and engage effectively with Aboriginal Land Councils and other parties in the process. There also are notable gaps in DPE’s procedures that impact the transparency of the process, especially with respect to timeframes and the prioritisation of land claims for assessment.

DPC (the Office of the Registrar of the Aboriginal Land Rights Act, ORALRA) has not secured or applied resources that would assist the Registrar to use discretionary powers, introduced in 2015, not to refer certain land claims to DPE for assessment (those not on Crown land). This could have improved the efficiency and coordination of end-to-end land claim processes.

DPC (ORALRA) is also not effectively managing data and ensuring the functionality of the statutory Register of Aboriginal land claims. This contributes to inefficient coordination with DPE and NSWALC, and creates a risk of inconsistent information sharing with LALCs, government agencies, local councils and other parties. More broadly, responsibilities for sharing information about the location and status of land under claim are not well defined across agencies. These factors contribute to risks to Crown land with an undetermined land claim, which case law has found to establish inchoate property rights for the claimant Aboriginal Land Council.⁴ It can also lead to uncertainty around the ownership, use and development of Crown land, with financial implications for various parties.

¹ Crown land is land that is owned and managed by the NSW Government.

² AANSW and ORALRA were previously part of the Department of Education, before the 1 July 2019 Machinery of Government changes.

³ Previously, these functions were undertaken by the Department of Industry (2017–June 2019) and the Department of Planning, Industry and Environment (July 2019 to December 2021).

⁴ The lodgement of a land claim creates an unformed property interest for the claimant Aboriginal Land Council over the claimed land. This interest will be realised if the Crown Lands Minister determines that the land is claimable.

Since 1983, 53,861 Aboriginal land claims have been lodged with the Registrar.²⁵

The Land and Environment Court of New South Wales has stated there is an implied obligation on the Crown Lands Minister to determine land claims within a reasonable time.²⁶

As at 31 December 2021, DPE has processed less than a third (31 per cent) of these land claims: 14,273 were determined by the Crown Lands Minister (that is, granted or refused, in whole or part) and 2,562 were withdrawn. This amounts to 16,835 claims processed, including the negotiated settlement of 15 claims through three Aboriginal Land Agreements. As a result, DPE reports that approximately 163,900 hectares of Crown land has been granted to Aboriginal Land Councils since 1983 up to 31 December 2021.

There are 38,257 land claims awaiting determination, which cover about 1.12 million hectares of Crown land.

The 2017 report on the statutory review of the Act noted that the land claims ‘backlog’ was one of the ‘Top 5’ priorities identified by LALCs during consultations. The importance of this issue is consistent with findings from our consultations with LALCs in 2021 (see Exhibit 7).

Exhibit 7: LALCs report that delays undermine the compensatory intent of the Act
LALCs raised concerns about delays in the Aboriginal land claim process, including waiting decades for claims to be assessed and years for land to be transferred once granted. The large number of undetermined claims has been described by LALCs as disrespectful, and as reflecting under-resourcing by governments. LALCs reported that these delays undermine the compensatory intent of the Act, including by creating uncertainty for their plans to support the social and economic aspirations of their communities.

Source: NSW Audit Office consultation with LALCs.

Delays in delivering on the statutory requirement to determine land claims, and limited use of other mechanisms to process claims in consultation or agreement with NSWALC and LALCs, undermines the beneficial and remedial intent of Aboriginal land rights under the Act. It also:

impacts negatively on DPE’s ability to comply with the statutory requirement to determine land claims, because often the older a claim becomes the more difficult it can be to gather the evidence required to assess it
creates uncertainty around the ownership, use and development of Crown land, which can have financial impacts on Aboriginal Land Councils, government agencies, local councils and developers.

Risks that arise in the context of undetermined claims are discussed further in section 3.3.

²⁵ According to DPC (ORALRA) data in the ALC Register up to 31 December 2021. DPC (ORALRA) data indicates that the Registrar has refused to refer claims to DPE for assessment under section 36(4A) of the Act in a small number of cases – for example, seven times in 2017 and none since that time.
²⁶ Jerrinja Local Aboriginal Land Council v Minister Administering the Crown Lands Act [2007] NSWLEC 577 at 125. The Court stated, ‘While a reasonable time may vary on a case-by-case basis, a delay of 15 to 20 years in determining claims does not accord with any idea of reasonableness’.

NSW Treasury describes public sector governance as providing strategic direction, ensuring objectives are achieved, and managing risks and the use of resources responsibly with accountability.

Consistent with the NSW Treasury’s Risk Management Toolkit (TPP-12-03b), governance arrangements for Aboriginal land claim processes should ensure their effective facilitation and administration. That is, arrangements are expected to contribute to and oversee the performance of administrative processes and service delivery towards outcomes, and ensure that legal and policy compliance obligations are met consistent with community expectations of accountability and transparency.

DPC and DPE are responsible for governance and, in partnership with NSWALC, operational and information-sharing activities required to coordinate Aboriginal land claim processes. LALCs, statutory officers, government agencies, local councils, and other parties (such as native title groups and those with an interest in development on Crown land) need to be engaged so that these processes are coordinated effectively with risks managed – consistent with the intent of the Act, and other legislative requirements.

Policy commitments to Aboriginal people and communities made by the NSW Government in the OCHRE Plan and Closing the Gap priority reforms establish an expectation for culturally informed governance.

Exhibit 12: LALCs want their voices to be heard and responded to by government
LALCs expressed a strong desire to have their voices heard so that outcomes in the Aboriginal land claim process are informed by LALC aspirations and consistent with the intent of the Act. The importance of respect and transparency were consistently raised. The following quotes are from our consultations with LALCs during this audit which illustrate the inherent cultural value of land being returned, as well as the importance of its social and economic value and potential. There’s batches of land in and around town. This land is significant…We want to get the land activated to encourage economic development, and promote the community…our job is to step up to create infrastructure, employment, maintenance and services and lead by example. One of the best things we were able to do is develop a long term 20-year plan and where Crown Land could directly see where land was transferred to us and it was going to things like education, housing, health and other social programs… There has been a claim lodged on a parcel of land that has long lasting cultural significance, a place that is very special to the Aboriginal community members and holds a lot of history. If the claim lodged was successful this land would be used to strengthen the cultural knowledge of the local youth, through placing signage that depicts stories that have been passed down by the Elders, cultural talks and tours and school group visits. This land, although not large in size, has a significant number of cultural trees and artefacts. Aboriginal families and members of the LALC that have lived in our town are very protective of the site and others surrounding it, respecting the importance of the cultural history of the site. There is one, which is a cultural one. We received a land claim that contained a cultural site. This is the high point: we were given back lands that contained rock engravings, carvings. A real diamond for us, especially as an urban based land council. At the heart of the ALRA is the ability to claim Crown Land…The slow determination of claims gets in the way of us doing what we want to do, which is focus on our communities and address our real needs which are about health, wellbeing and culture. If we could realise these rights, we can address all sorts of socio-economic needs. We would become an economic benefit to the state…If it was operating well there could be more caring for Country too.

Note: Permission has been granted by LALC interviewees to use these quotes in this context.
Source: Excerpts from NSW Audit Office interviews with LALC representatives, facilitated by Indigenous consultants.

The Crown Lands Minister, supported by DPE, is required to determine whether Aboriginal land claims meet the criteria to be ‘claimable Crown lands’ under section 36(1) of the Act. DPE staff within its Crown Lands division are responsible for assessing land claims and preparing recommendation briefs to the Crown Lands Minister, or their delegate, on determination outcomes. That is, on whether to grant or refuse the claim.³⁸ DPE staff also make decisions about which land claims within the large number of undetermined claims should be processed first.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Banner image used with permission.
Title: Forces of Nature
Artist: Lee Hampton – Koori Kicks Art

Copyright notice

Parliamentary reference - Report number #365 - released 28 April 2022.

13 April 2022

Published

Building regulation: combustible external cladding

Finance

Local Government

Planning

Compliance

Infrastructure

Regulation

Risk

What the report is about

The report focuses on how effectively the Department of Customer Service (DCS) and Department of Planning and Environment (DPE) led reforms addressing the unsafe use of combustible external cladding on existing residential and public buildings.

Nine local councils were included in the audit because they have responsibilities and powers needed to implement the NSW Government’s reforms.

What we found

After the June 2017 Grenfell Tower fire in London, the NSW Government committed to a ten-point action plan, which included establishing the NSW Cladding Taskforce, chaired by DCS, and with DPE as a key member. The Taskforce co-ordinates and oversees the implementation of the plan.

Depending on the original source of development approval, either individual local councils or DPE are responsible for ensuring that buildings are identified, assessed, and remediated. NSW Government-owned buildings are the responsibility of each department.

Identifying buildings potentially at risk was complex and resource intensive. However, on balance, it is likely that most affected buildings have now been identified.

By October 2021, around 40 per cent of assessed high-risk buildings that are the responsibility of local councils had either been remediated or found not to pose an unacceptable fire risk.

By February 2022, almost 50 per cent of affected NSW Government-owned buildings, and 90 per cent of buildings that are the responsibility of DPE, have either been cleared or are in the process of being remediated.

Earlier guidance on some key issues could have been provided by DCS and DPE in the two years after the Grenfell Tower fire. This may have reduced confusion and inconsistency across local councils we audited, and in some NSW Government departments. This especially relates to the application of the Fair Trading Commissioner's product use ban.

Given the inherent risks posed by combustible external cladding, buildings initially assessed as low-risk may also still warrant further action.

While most high-risk buildings have likely been identified, poor information handling makes it difficult to keep track of all buildings from identification, through to risk assessment and remediation.

What we recommended

DCS and DPE should:

address the confusion surrounding the application of the Commissioner for Fair Trading's product use ban for aluminium composite panels with polyethylene content greater than 30 per cent
develop an action plan to address buildings assessed as low-risk
improve information systems to track all buildings from identification through to remediation.

Fast facts

Authority responsible for ensuring that owners make their buildings safe	Approximate number of buildings referred for further investigation*	Approximate percentage of buildings remediated or assessed to be safe
Local councils	1,200	40%
NSW Government owned	66	50%
DPE under delegation from the Minister for Planning	137	90%

*After initial inspection by Fire and Rescue NSW, and/or preliminary inquiries by the consent authority, it was identified that the building may be at high-risk of
fire from combustible external cladding.

NSW Government's response to the risks posed by combustible external cladding

The NSW Government first became aware of the potential heightened risks posed by combustible external cladding on building exteriors after the 2014 Lacrosse Tower fire in Melbourne. However, it was the tragic loss of life from the Grenfell Tower fire in London, in June 2017, that gave added urgency to the need to address these risks.

Within six weeks of the London fire, the NSW Government committed to a ten-point plan of action for NSW to:

identify and remediate any buildings with combustible external cladding
ensure that regulation prevented the unsafe use of such cladding
ensure that experts involved in providing advice and certifying fire safety measures had the necessary skills and experience.

One of the actions in the ten-point plan was the creation of the NSW Government's Fire Safety and External Wall Cladding Taskforce (the Cladding Taskforce) chaired by the Department of Customer Service (DCS) and with the Department of Planning and Environment (DPE) as a key member.

The ten-point plan also specified that NSW Government departments would be responsible, in regard to buildings they owned to '…audit their buildings and determine if they have aluminium cladding'.

Local councils play a key role in implementing the Government's reforms, given their responsibilities and powers under the Environmental Planning and Assessment Act 1979 (EPA Act) and Local Government Act 1993 (Local Government Act) to approve building works (as 'consent authorities'), as well as to ensure fire safety standards are met. DPE plays an equivalent role for a smaller number of 'State Significant Developments' for which it is the consent authority under delegation from the Minister for Planning.

Commissioner for Fair Trading's building product use ban

On 18 December 2017, the Building Products (Safety) Act 2017 (BPS Act) came into effect in NSW, introducing new laws to prevent the use of unsafe building products. Notably, the BPS Act gave the Secretary of DCS and the Commissioner for Fair Trading the power to ban unsafe uses of building products.

After an extensive consultative process, the Commissioner for Fair Trading used these powers to issue a product use ban on 15 August 2018. This banned the use of external wall cladding of aluminium composite panels with a core comprised of more than 30 per cent polyethylene by mass on new buildings, unless the proposed use was subject to independent fire propagation testing of the specific product and method of application to a building in accordance with relevant Australian Standards.

Buildings occupied before the product use ban came into force are not automatically required to have the banned product removed. Under the BPS Act, consent authorities may determine necessary actions to eliminate or minimise the risk posed by the banned material on existing buildings.

Project Remediate

Project Remediate is a three-year NSW Government program announced in November 2020. The program was designed by the NSW Government to assist building owners of multi-storey apartments (two storeys or more) with high-risk combustible cladding to remediate their building to a high standard and for a fair price.

The scheme is voluntary and includes government paying for the interest on ten-year loans, as well as incorporating assurance and project management services to provide technical and practical support to owners’ corporations and strata managing agents. Building remediations under the program are expected to commence in 2022.

About this audit

This audit assessed whether DCS and DPE effectively led reforms to manage the fire safety risk of combustible external cladding on existing residential and public buildings.

In making this assessment, we considered whether the expressed policy intent of the NSW Government's ten-point plan for fire safety reform had been achieved by asking:

are the fire safety risks of combustible external cladding on existing buildings identified and remediated?
is there a comprehensive building product safety scheme that prevents the dangerous use of combustible external cladding products on existing buildings?
is fire safety certification for combustible external cladding on existing buildings carried out impartially, ethically and in the public interest by qualified experts?

Consistent with the focus of the Cladding Taskforce on multi-storey residential buildings and public buildings, the scope of our audit is limited to buildings categorised under the Building Code of Australia (BCA) as class 2, 3 and 9. These classes are defined in detail in section 1.2, but include: multi-unit residential apartments, hotels, motels, hostels, back-packers, and buildings of a public nature, including health care buildings, schools, and aged care buildings. The scope was also limited to existing buildings, which is defined as buildings occupied by 22 October 2018.

Auditees

The Department of Customer Service chairs the NSW Government's Cladding Taskforce, which is responsible for coordinating the combustible external cladding reforms. The Commissioner of Fair Trading sits within DCS and DCS regulates the industry accreditation scheme for fire safety practitioners, as well as administering the BPS Act.

The Department of Planning and Environment administers the EPA Act and the Environmental Planning and Assessment Regulation 2000 (EPA Regulation), which regulate the building development process. As well as being the delegated consent authority for State Significant Developments, DPE is also responsible for maintaining the mandatory cladding register requiring building owners of multi-storey (BCA class 2, 3 or 9) buildings to register buildings with combustible external cladding on an online portal.

Functions and responsibilities between DCS and DPE varied over time. For example, in October 2019, the DPE building policy team responsible for co-ordinating the DPE response to the combustible cladding issue was transferred to DCS, following changes to agency responsibilities resulting from machinery of government changes. DPE advised this resulted in a lessening of DPE's subsequent policy work on combustible cladding and its involvement in the Cladding Taskforce.

While the focus of the audit was on the oversight and coordination provided by DCS and DPE, nine councils were also auditees for this performance audit. Councils play an essential part as consent authorities for building development approvals in NSW, as well as having responsibilities and powers to ensure fire safety standards. To fully understand how well their activities were overseen and coordinated, a sample of councils was included as auditees.

Nine councils were selected to represent both metropolitan and regional areas, noting that there are very few in-scope buildings in rural areas. The audited councils were:

Bayside Council
City of Canterbury Bankstown Council
Cumberland City Council
Liverpool City Council
City of Newcastle Council
City of Parramatta Council
City of Ryde Council
City of Sydney Council
Wollongong City Council.

Terminology

The two NSW Government department auditees have, over time, been subject to machinery of government changes, which have changed some of their functions and what the departments are called.

Relevant to this audit, the effect of these changes has been:

the Department of Finance, Services, and Innovation (DFSI) became the Department of Customer Services (DCS) on 1 July 2019
on 1 July 2019, the Department of Planning and Environment became the Department of Planning, Industry, and Environment (DPIE)
on 21 December 2021, DPIE became the Department of Planning and Environment (DPE).

To avoid confusion, we use the titles by which these departments are known at the date of this report: the Department of Customer Service and the Department of Planning and Environment.

Conclusion

At July 2017, immediately after the Grenfell Tower fire, there was no reliable source to identify buildings that may have had combustible external cladding. However, it is now likely that most high-risk buildings have been identified.

Following the 2014 Lacrosse Tower fire in Melbourne, the NSW Government recognised that there was a need to be able to identify buildings in NSW that could have combustible external cladding.

The process of identifying buildings that could have combustible external cladding has been complex, resource-intensive, and inefficient principally due to the lack of centralised and coordinated building records in NSW. In total, approximately 1,200 BCA class 2, 3 and 9 buildings have been brought to the attention of councils by either Fire and Rescue NSW (FRNSW), the Cladding Taskforce, or through councils' own inspection for possible further action. In addition, approximately 2,000 more buildings were inspected by FRNSW but not referred to local councils because they either had no combustible external cladding or had combustible external cladding not assessed as being high-risk.

A multi-pronged approach to identifying buildings has been used by the DCS and DPE, through the Cladding Taskforce. While it is impossible to know the full scope of potentially affected buildings, the approach appears thorough in having identified most relevant buildings.

The process of clearing buildings with combustible external cladding has been inconsistent.

In the more than four years since the NSW Government's ten-point plan was announced, around 40 per cent of the buildings brought to the attention of councils have been cleared by either rectification or being found not to pose an unacceptable fire risk. Also, around 50 per cent of NSW Government-owned buildings identified with combustible external cladding and almost 90 per cent of identified buildings for which DPE is consent authority have been cleared or remediation is underway.

While DCS and DPE did seek to work cooperatively with councils and provided high-level guidance on the NSW Government’s fire safety reforms, it took until September 2019 before a model process and other detailed advice was provided to councils to encourage consistent processes. DCS and DPE advice to councils and NSW Government-building owners should have been more timely on two key issues:

the use of experts in the process of assessing and remediating existing buildings, and
the implementation of the product use ban on aluminium composite panels with polyethylene content 30 per cent or greater.

Clarifying the application of the product use ban may require consent authorities and building owners to revisit how some buildings have been cleared.

The management of buildings assessed as low-risk by FRNSW, estimated to be over 500, has not been a priority of the Cladding Taskforce to date, despite those buildings potentially posing unacceptable fire risks.

Information management by the Cladding Taskforce is inadequate to provide a high-level of assurance that all known affected buildings have been given proper attention.

While most high-risk buildings have likely been identified, information management is not sufficiently robust to reliably track all buildings through the process from identification, through to risk assessment and, where necessary, remediation.

Reforms to certifier registration schemes are limited to new buildings and do not apply to the existing buildings covered by this audit.

While reforms are limited in application to new buildings, some consent authorities took steps to obtain greater assurance on the quality of the work done by fire safety experts regarding combustible external cladding on existing buildings. For example, by requiring fire safety experts to be appropriately qualified and requiring peer review of cladding risk assessments and proposed remediation plans.

This chapter considers the part played by DCS and DPE as key members of the Cladding Taskforce in ensuring that buildings with combustible external cladding were effectively identified and remediated through processes implemented by:

local councils or DPE, where those bodies were consent authorities under the EPA Act for the relevant buildings
in the case of NSW Government buildings, the departments that owned those buildings.

This chapter considers what has been done to deliver a comprehensive building product safety scheme that prevents the dangerous use of combustible external cladding products.

This chapter considers whether reforms have ensured that only people with the necessary skills and experience are certifying buildings and signing off on fire-safety.

Inspections of existing buildings and development of any subsequent action plans to address combustible external cladding are not activities covered by accreditation or registration schemes for building certifiers

Almost all the risk assessment and remediation work done on buildings in the scope of this audit have been undertaken under fire safety orders issued by consent authorities using their powers under the EPA Act. This has been the recommended approach by DPE and DCS since at least 2016 (that is, before the Grenfell Tower fire in London).

While there have been reforms to certifier registrations scheme, these were not intended to ensure that combustible cladding-remediation on existing buildings is supported by people with the necessary skills and experience in fire safety under the fire safety order process. Instead, they are focused on offering better assurance for work done in respect to new building projects where accredited experts certify that building work is carried out in accordance with BCA under the DCS managed certifier registration schemes.

No steps have been taken to ensure the quality of the work done by experts inspecting, assessing the fire risk and developing action plans to address combustible external cladding on existing buildings, other than where consent authorities have chosen to exercise their discretion. This includes requiring fire safety experts to be appropriately qualified and requiring peer review of some cladding risk assessments and remediation plans.

Consent authorities determine whether individuals with accreditation are required for combustible cladding inspection, risk assessments and remediation on existing buildings

Whether an individual with certifier accreditation participates in a cladding inspection, risk assessment, or remediation for an existing building will be determined by what councils as consent authorities specify in their fire safety orders unless building owners opt to use such experts without being directed to do so by the consent authority.

As discussed earlier, councils acting as consent authorities vary in whether they require building owners to engage individuals with certifier accreditation. In most of the councils we audited, A1 or C10 accredited experts were either required, or recommended, to perform functions such as auditing suspected combustible cladding, or conducting fire safety risk assessments and developing plans to rectify combustible cladding.

However, these types of work are not functions covered by the accreditation or registration schemes that apply to building and development certifiers.

Certifier accreditation schemes do not cover cladding remediation work done under fire safety orders

While councils may require or recommend that independent accredited A1 or C10 certifiers be engaged by building owners for cladding risk assessment and remediation, they are not performing those functions as certifiers — they are, in effect, more akin to expert consultants. Accordingly, how they perform their functions and duties is not covered by the legislation supporting the accreditation scheme for certifiers that was operated until July 2020 by the Building Professional Board.

Instead, their use in this process is a convenient and practical way for consent authorities to ensure that building owners use appropriate experts who have the qualifications, skills and experience needed to investigate and identify combustible cladding, and then to formulate appropriate action to deal with such cladding. However, these individuals are not performing regulated or accredited work, are not subject to regulatory oversight, and are not accountable to any accreditation body for the quality of the work they perform.

While councils could (and sometimes do) choose to decline poor quality or incomplete cladding-related work prepared by A1 or C10 certifiers, the burden of resolving poor quality would fall on the building owner, who would have to seek amended or additional risk assessments or rectification plans.

In the absence of regulatory oversight, disincentives for poor quality cladding-related work, may include litigation being commenced by the property owner, harm to the expert's reputation in a small and competitive market, and the potential impact on whether the individual could retain their professional indemnity insurance at a reasonable cost (especially in an environment when many insurance providers withdrew coverage for cladding related work).

Reforms impact on regulated experts doing work on new buildings

The reforms that commenced on 1 July 2020, replaced categories of accreditation with classes of registration, and varied the classes such that:

accredited building surveyor category A1 became registered building surveyor-unrestricted
accredited certifier—fire safety engineer category C10 became registered certifiers-fire safety.

The legislation that introduced these reforms, the Building and Development Certifiers Act 2018, also repealed the pre-existing Building Professionals Act 2005 and abolished the Building Professionals Board. The new Act was accompanied by the Building and Development Certifiers Regulation 2020.

While the scope of this audit is limited to existing buildings, we note that there are buildings with combustible external cladding that are yet to be remediated. Just as these processes previously drew on the expertise of A1 and C10 category certifiers, it seems inevitable that the remediation of existing buildings will continue to draw on the expertise of the equivalent new classes of registered building surveyor-unrestricted and registered certifier-fire safety.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #364 - released 13 April 2022.

17 December 2021

Published

Planning, Industry and Environment 2021

Environment

Industry

Local Government

Planning

Asset valuation

Financial reporting

Information technology

Internal controls and governance

Risk

This report analyses the results of our audits of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Planning, Industry and Environment cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Planning, Industry and Environment cluster agencies' financial statements audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.

An 'Other Matter' paragraph was included in the Independent Planning Commission's (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983 (PF&A Act). The financial reporting provisions of the Government Sector Finance Act 2018 now require the IPC to prepare financial statements.

The number of identified misstatements increased from 51 in 2019–20 to 54 in 2020–21.

The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements are incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. Management has commenced actions to improve the governance and financial management of the Corporation. These audits are currently in progress and the 2020–21 audit will commence shortly.

There are 609 State controlled Crown land managers (CLMs) across New South Wales that predominantly manage small parcels of Crown land.

Eight CLMs prepared and submitted 2019–20 financial statements by the revised deadline of 30 June 2021. A further 24 CLMs did not prepare financial statements in accordance with the PF&A Act. The remaining CLMs were not required to prepare 2019–20 financial statements as they met NSW Treasury's financial reporting exemption criteria.

The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 CLMs are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21.

There are also 120 common trusts that have never submitted financial statements for audit. Common trusts are responsible for the care, control and management of land that has been set aside for specific use in a certain locality, such as grazing, camping or bushwalking.

What the key issues were

The number of matters we reported to management increased from 135 in 2019–20 to 180 in 2020–21, of which 40 per cent were repeat findings.

Seven high-risk issues were identified in 2020–21:

system control deficiencies at the department relating to user access to HR and payroll management systems, vendor master data management and journal processing, which require manual reviews to mitigate risks
deficiencies related to the Centennial Park and Moore Park Trust's tree assets valuation methodology
the Lord Howe Island Board did not regularly review and monitor privileged user access rights to key information systems
the Natural Resources Access Regulator identified and adjusted three prior period errors retrospectively, which indicate deficiencies within the financial reporting processes
deficiencies relating to the Parramatta Park Trust's tree assets valuation methodology
lease arrangements have not been confirmed between the Planning Ministerial Corporation and Office of Sport regarding the Sydney International Regatta Centre
the Wentworth Park Sporting Complex land manager (the land manager) has a $6.5 million loan with Greyhound Racing NSW (GRNSW). GRNSW requested the land manager to repay the loan. However, the land manager subsequently requested GRNSW to convert the loan to a grant. Should this request be denied, the land manager would not be able to continue as a going concern without financial support. This matter remains unresolved for many years.

There continues to be significant deficiencies in Crown land records. The department uses the Crown Land Information Database (CLID) to record key information relating to Crown land in New South Wales that are managed and controlled by the department and land managers (including councils and land managers controlled by the state). The CLID system was not designed to facilitate financial reporting and the department is required to conduct extensive adjustments and reconciliations to produce accurate information for the financial statements.

The department is implementing a new system to record Crown land (the CrownTracker project). The department advised that the project completion date will be confirmed by June 2022.

What we recommended

The department should ensure CLMs and common trusts meet their statutory reporting obligations.

Cluster agencies should prioritise and action recommendations to address internal control deficiencies, with a focus on addressing high-risk and repeat issues.

The department should prioritise action to ensure the Crown land database is complete and accurate. This will allow the department and CLMs to be better informed about the Crown land they control.

Fast facts

The Planning, Industry and Environment cluster aims to make the lives of people in New South Wales better by developing well-connected communities, preserving the environment, supporting industries and contributing to a strong economy.

There are 54 agencies, 609 State controlled Crown land managers that predominantly manage small parcels of Crown land and 120 common trusts in the cluster.

42% of the area of NSW is Crown land
$33.2b water and electricity infrastructure as at 30 June 2021
100% unqualified audit opinions were issued for all completed 30 June 2021 financial statements audits
7 high-risk management letter findings were identified
54 monetary misstatements were reported in 2020–21
40% of reported issues were repeat issues

This report provides parliament and other users of the Planning, Industry and Environment cluster (the cluster) agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment cluster (the cluster) for 2021.

Section highlights

Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.
An 'Other Matter' paragraph was included in the Independent Planning Commission’s (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983. From 2020–21, the IPC is required to prepare financial statements under the Government Sector Finance Act 2018.
The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements were incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. These audits are currently underway, and the 2020–21 audit will commence shortly.
The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 State controlled Crown land managers (CLMs) are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21. All 120 common trusts have never submitted their financial statements for audit. The department needs to do more to ensure that the CLMs and common trusts meet their statutory reporting obligations.
Nine agencies that were required to perform early close procedures did not complete a total of 20 mandatory procedures. The most common incomplete early close procedures include the revaluation of property, plant and equipment, documenting all significant management judgments and assumptions, and the implementation of new and updated accounting standards.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statements audits of agencies in the Planning, Industry and Environment cluster.

Section highlights

The number of findings reported to management has increased from 135 in 2019–20 to 180 in 2020–21, and 40 per cent were repeat issues.
Seven high-risk issues were identified in 2020–21, and three high-risk findings were repeat issues.
There continues to be significant deficiencies in Crown land records. The department should prioritise action to ensure the Crown land database is complete and accurate.

Appendix one - Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

15 December 2021

Published

Health 2021

Health

Asset valuation

Compliance

Cyber security

Financial reporting

Infrastructure

Internal controls and governance

Procurement

This report analyses the results of our audits of the Health cluster agencies for the year ended 30 June 2021.

As there are no outstanding matters relating to audits in the Health cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of Health cluster (the cluster) agencies' financial statements audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for the financial statements of all Health cluster agencies.

The COVID-19 pandemic increased the complexity and number of accounting matters faced by the cluster. The total gross value of corrected misstatements in 2020–21 was $250.2 million, of which $226.0 million were pandemic related.

A qualified audit opinion was issued on the Annual Prudential Compliance Statement. The basis of the qualification related to 19 instances (18 in 2018–19) of non-compliance relating to three of the 20 prudential requirements across five aged care facilities.

What the key issues were

The total number of matters we reported to management across the cluster increased from 112 in 2019–20 to 116 in 2020–21. Of the 116 issues raised in 2020–21, three were high risk (one in 2019–20) and 57 were moderate risk (47 in 2019–20). Nearly one half of the issues were repeat issues.

The three new high-risk issues identified were:

Hotel Quarantine (HQ) fees

The absence of a tailored debt recovery strategy, data integrity issues and uncertainties around future HQ arrangements increased risks around the recoverability of HQ fees from travellers.

COVID-19 inventories

Data errors and anomalies in the impairment model and difficulties forecasting key factors impacting the management of Personal Protective Equipment (PPE) increased uncertainty associated with the valuation and impairment of COVID-19 inventories.

COVID-19 vaccines

The Commonwealth did not provide information about the cost of vaccines provided to NSW free of charge, which required the performance of internal valuations to reflect the consumption of vaccines in the financial statements.

What we recommended

Hotel Quarantine (HQ) fees

Develop a tailored assessment methodology to estimate recoverability of HQ fees and work with Revenue NSW to develop a tailored debt recovery strategy.

COVID-19 inventories

Review the current stocktaking and impairment methodology to incorporate validation of data key to the management of COVID-19 related PPE.

COVID-19 vaccines

Work with the Commonwealth to obtain primary price information on COVID-19 vaccines.

Fast facts

The Health cluster, comprising 15 local health districts, five pillars agencies, two specialty health networks and six shared state-wise services agencies, deliver health services to the people of New South Wales.

100% unqualified audit opinions were issued on agencies' 30 June 2021 financial statements
24 monetary misstatements were reported in 2020–21
3 high risk management letter findings were identified
47.4% of reported issues were repeat issues
$23.5b property, plant and equipment as at 30 June 2021
$26.8b total expenditure incurred in 2020–21

This report provides Parliament and other users of the Health cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

financial reporting
audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations related to the financial reporting of agencies in the Health cluster (the cluster) for 2021.

Section highlights

Unqualified audit opinions were issued for all cluster agencies required to prepare general-purpose financial statements.
The total gross value of all corrected monetary misstatements for 2020–21 was $250.2 million, of which $226.0 million were related to complexities arising from the COVID-19 pandemic.
A qualified audit opinion was issued on the Ministry's Annual Prudential Compliance Statement.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making. This chapter outlines our observations and insights from our financial statement audits of agencies in the Health cluster.

Section highlights

The total number of internal control deficiencies has increased from 112 issues in 2019–20 to 116 in 2020–21. Of the 116 issues raised in 2020–21, three were high (one in 2019–20) and 57 were moderate (47 in 2019–20); with nearly one half of all control deficiencies reported in 2020–21 being repeat issues.
The complexities arising from accounting for agreements between governments to respond to the COVID-19 pandemic presented three new high risk audit findings with respect to the:
- expected rate of recoverability of outstanding Hotel Quarantine fees
- procurement, stocktaking and impairment of COVID-19 inventories
- valuation and recognition of COVID-19 vaccines received from the Commonwealth Government.
Management of excessive leave balances and poor quality or lack of documentation supporting key agreements were amongst the repeat issues observed again in the 2020–21 financial reporting period.

Findings reported to management

The number of findings reported to management has increased, with 47.4 per cent of all issues being repeat issues

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of cluster agencies. The Audit Office does this through our management letters, which include observations, implications, recommendations and risk ratings.

In 2020–21, there were 116 findings raised across the cluster (112 in 2019–20). 47.4 per cent of all issues were repeat issues (38.4 per cent in 2019–20).

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating.

Risk rating	Issue
Information technology
Moderate² 7 new, 3 repeat	We identified the need for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of particular concern are issues associated with: lack of reviews of user access and privileged user access for HealthRoster Assets and Facilities Management Online vMoney Powerhouse Patient Billing and Revenue Collection system. Repeat issues included: deficient password controls no independent review for data integrity of any changes made to HealthRoster incomplete reviews of StaffLink User Access.
Low¹ 4 new, 5 repeat
Internal control deficiencies or improvements
High³ 1 new, 0 repeat	We identified internal control weaknesses across key business processes, including new issues relating to: procurement, stocktaking and impairment of COVID-19 inventories (personal protective equipment) instances where employees' timesheets were approved in advance monthly reconciliations not reviewed in a timely manner asset revaluation processes at Illawarra Shoalhaven Local Health District. Repeat issues included: forced finalisation of rosters in order to finalise processing of payroll partial repeat issue relating to HealthShare NSW's stocktake process, refer to details in the following section of this report.
Moderate² 6 new, 12 repeat
Low¹ 10 new, 4 repeat
Financial reporting
High³ 2 new, 0 repeat	We identified weaknesses with respect to financial reporting in relation to the: expected rate of recoverability of outstanding Hotel Quarantine fees valuation and recognition of COVID-19 vaccines received from the Commonwealth Government application of AASB 16 'Leases' improvement in health agencies' grant register to better support management's accounting treatment under the applicable revenue accounting standards.
Moderate² 6 new, 1 repeat
Low¹ 8 new, 3 repeat
Governance and oversight
Moderate² 9 new, 5 repeat	We identified opportunities for agencies to improve governance and oversight processes, including: ensure better documentation around governance arrangements for major health capital works delivered by Health Infrastructure absence of documented practices at health agencies level relating to Visiting Medical Officer claims. Repeat issues include: delegations manual for Health Infrastructure remains in draft and has done so since 2017.
Low¹ 2 new, 2 repeat
Non-compliance with key legislation and/or central agency policies
Moderate² 1 new, 7 repeat	We identified the need for agencies to improve compliance with key legislation and central agency policies, with new findings including: bank signatories list not updated to remove terminated employees subsequent changes made to Junior Medical Officers' approved rosters not approved by an authorised delegate. Repeat issues include: management of excessive annual leave non-compliance with the Government Information (Public Access) Act 2009 (GIPA Act) by Ambulance NSW.
Low¹ 5 new, 13 repeat

⁴Extreme risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
³ High risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
² Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
¹ Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.

Note: Management letter findings are based either on final management letters issued to agencies, or draft letters where findings have been agreed with management.

Complexities arising from the COVID-19 response

The 2020–21 audit identified three new high-risk findings

COVID-19 has presented the cluster with several new accounting challenges. New and evolving matters arose from changes to operating conditions, which characterised the 2020–21 financial reporting period. Issues with a high degree of estimation uncertainty will require ongoing attention as the strategies employed to deal with the COVID-19 pandemic evolve.

Expected rate of recovery of outstanding Hotel Quarantine invoices

The estimation of the amount likely to be recovered is complicated not only by the uncertainties that exist regarding the assumptions those estimations rely upon, but also the debt collection processes and strategies put into place to manage the accumulated debtors' balance. Debt collection is not administered by the cluster, but rather Revenue NSW. We observed an absence of a methodology to assess the likelihood of recovery. Instead, Sydney Local Health District was relying on Revenue NSW to develop and execute on a collection strategy. Sydney Local Health District was using the same approach to hotel quarantine debts as it did to other Health receivables. As the approach to managing international borders evolves over time, so too will the cluster's need to develop robust estimation models to assess the likely collectability of debtors.

Procurement, management and impairment of COVID-19 inventories

$656.2 million of COVID-19 inventories were procured in 2020–21, with $220.2 million consumed; $558.7 million impaired and a further $217.1 million written off. Estimates of the degree to which inventories are expired, not fit for purpose or are faulty is often based on management judgement at all stages in the procurement cycle.

With respect to the stocktaking methodology applied, the following issues were identified:

discrepancies noted in the stock bin listing provided for audit
discrepancies in the recount sheet generated
inconsistent application of the stocktake methodology
inconsistent labelling of quarantined stock
a lack of an approach for validating stock expiry dates, which is a key input to the impairment calculations.

Although management had developed processes and a methodology to count as well as to assess the level of inventory that was not fit for purpose, ongoing attention to the operating environment that emerges post pandemic will be important in assessing the degree to which existing COVID-19 inventories can be integrated into a ‘business as usual’ model going forward. Further refinement of the key elements of the stocktaking methodology will also be required to ensure that key inputs upon which management relies to calculate the year-end inventory impairment provision can be appropriately validated.

Valuation and recognition of COVID-19 vaccines received from the Commonwealth Government

The 2020–21 financial reporting period saw the Commonwealth acquire COVID-19 vaccines and provide these to state jurisdictions to dispense to their communities. The vaccines, although provided free of charge require recognition. However, Health entities were not responsible for acquiring the vaccines and data on the vaccines' cost was not shared by the Commonwealth. Management undertook a valuation using publicly available data to estimate the value to attribute to the vaccine inventory; developed new systems and leveraged existing pharmacy systems to track physical quantities received from the Commonwealth and ultimately distributed to NSW citizens. As the response to the pandemic evolves, larger quantities, and new lines of vaccine stock will be dealt with, and policy settings will need to adapt when patterns of distribution of those vaccines (e.g., timing of third booster shots) emerge. The Ministry of Health will need to ensure that the valuations applied to the prices of inventory distributed and held in stock are as accurate as possible. This can be done through further refinement of the existing valuation methodology, obtaining price information from the Commonwealth and engaging specialist pharmaceutical valuers.

Emerging trends

Recognition of provisions without sufficient support

Several NSW Health entities raised accruals and provisions in 2020–21, which did not have an appropriate basis for recognition. Liabilities can only be recognised where there is a present obligation to make a payment arising from a past event. A number of these errors remain uncorrected in the financial statements of those entities as they are not material, individually or in aggregate to the financial statements as a whole. Increased training and guidance are required to ensure that treatment within the cluster is consistent and reflects events that have occurred and give rise to obligations.

Treatment of Commonwealth funding

In the 2020–21 and 2019–20 financial reporting periods, we observed prior period errors arising from the treatment of Commonwealth funding. These errors related to recognising revenue under funding agreements entered into with the Commonwealth in the incorrect period. The conditions of these funding arrangements, the transactional information requiring validation and the circumstances when revenue should be recognised are not always clear and can be complex. Early and continuous engagement with the Commonwealth is required to ensure that revenue recognition principles are consistently applied across the cluster.

Key repeat issues

Management of excessive annual leave

NSW Treasury guidelines stipulate annual leave balances exceeding 30 days are considered excess annual leave balances. Managing excess annual leave balances has been reported as an issue for the cluster for more than five years, with the average percentage of employees with excessive leave balances over the last five years being 36.1 per cent (35.5 per cent over five years covering 2015–16 to 2019–20).

The operational demands required to manage the COVID-19 pandemic have presented new challenges for the cluster in trying to manage its excessive leave balances. 39.2 per cent of employees now have excess leave balances at 30 June 2021 (35.4 per cent at 30 June 2020).

The state's leave policy C2020-12 Managing Accrued Recreation Leave Balances requires agencies to manage excessive leave balances to 30 days or less to maintain their workforces physical and mental health.

Accurate time recording

Forced-finalisation of time records by system administrators within HealthRoster remains an issue and we continue to observe time records forced-finalised by system administrators so pay runs can be finalised on a timely basis. During 2020–21, a total of two million (2.2 million in 2019–20) time records were force approved, which represents 5.7 per cent of total time records (6.9 per cent in 2019–20).

Existence, completeness and accuracy of key agreements

Delivery of major capital projects

Health Infrastructure (a division of the Health Administration Corporation) is responsible for the delivery of major capital projects with a budgeted spend of more than $10.0 million. Health Infrastructure oversee the planning, design, procurement, and construction phases. Capital works in progress are recognised in the financial statements of the health entity that intends to use those assets upon completion. The health entities recognise both the capital work in progress and the revenue associated with the capital funding from the Ministry for the construction of the assets. Capital funding is currently agreed with health entities as part of the annual Service Agreement. The assumption that the health entities control the assets during their construction is consistent with Health Infrastructure's role as an agent for the health entity and the Ministry's policy directive PD2020-033 'Management and control of Health Administration Corporation owned Real Property'.

We continued to observe a lack of clarity regarding agreements between Health Infrastructure, the Ministry and the cluster agency that will eventually receive the completed asset. This can lead to confusion and uncertainty around the rights and obligations of each party to the transaction.

Cross border patient funding arrangements

When patients require medical care in a jurisdiction where they are not generally domiciled, there are arrangements in place to provide funding to support cross border patient treatments. We have previously observed that agreements between NSW and other jurisdictions have not been finalised, and this continues to be the case. In the case of Victoria, no agreement has been finalised for the past seven years.

We continue to note that the cluster has long outstanding receivables and payables with other states. The absence of formal agreements between the states hampers the settlement of the debts relating to the treatment of cross border patients. The following table shows the status of Cross Border Agreements between NSW and other jurisdictions:

States	2014–15	2015–16	2016–17	2017–18	2018–19	2019–20	2020–21
Queensland	Signed	Signed	Signed	Signed	Signed	Not finalised	Not finalised
Victoria	Not finalised	Not finalised	Not finalised	Not finalised	Not finalised	Not finalised	Not finalised
Australian Capital Territory	Signed	Signed	Signed	Signed	Signed	Signed	Not finalised
South Australia	Signed	Signed	Signed	Signed	Signed	Signed	Not finalised
Tasmania	Signed	Signed	Signed	Signed	Signed	Signed	Not finalised
Northern Territory	Signed	Signed	Signed	Signed	Signed	Signed	Not finalised
Western Australia	Signed	Signed	Signed	Signed	Signed	Signed	Not finalised

Albury Base Hospital

Albury Base hospital is located on the border of NSW and Victoria and services residents of both states. Documentation supporting the extension of the expired Intergovernmental Agreement 2009–2017 between NSW and Victoria in relation to the integration of health services in Wodonga and Albury could not be located.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

19 October 2021

Published

Rail freight and Greater Sydney

Transport

Information technology

Infrastructure

Management and administration

Project management

Service delivery

What the report is about

The movement of freight contributes $66 billion annually to the NSW economy. Two thirds of all freight in NSW moves through Greater Sydney, and the volume of freight moving through Greater Sydney is expected to increase by 48 per cent by 2036.

This audit assessed the effectiveness of transport agencies in improving the use of rail freight capacity in Greater Sydney, and to meet current and future freight demand.

What we found

Transport agencies do not have strategies or targets in place to improve the efficiency or capacity of the metropolitan shared rail network for freight.

The transport agencies acknowledge that they do not have sufficient information to achieve the most efficient freight outcomes and they do not know how to use the shared rail network to maximise freight capacity without compromising passenger rail services.

The Freight and Ports Plan 2018-2023 contains one target for rail freight - to increase the use of rail at Port Botany to 28 per cent by 2021. However, Transport for NSW (TfNSW)'s data indicates this target will not be met.

Sydney Trains records data on train movements and collects some data on delays and incidents. TfNSW collects data for the construction of the Standard Working Timetable and third-party contracts.

However, a lack of clarity around what data is gathered and who has ownership of the data makes data sharing difficult and limits its analysis and reporting.

The Freight and Ports Plan 2018-2023 includes the goal of 'Reducing avoidable rail freight delays', but the transport agencies do not have any definition for an avoidable delay and, as a result, do not measure or report them.

TfNSW and Sydney Trains are appointed to manage and deliver the Transport Asset Holding Entity of New South Wales (TAHE)'s obligations to allow rail freight operators to use the shared rail network. There are no performance measures in rail freight operator contracts or inter-agency agreements. This limits transport agencies' ability to improve performance.

TfNSW’s Freight Branch is working on four freight-specific strategies; a review of the Plan, a freight rail strategy, a port efficiency strategy and a freight data strategy.

TfNSW has not yet determined the timeframes or intended outcomes of these strategies.

What we recommended

Transport agencies should:

commit, as part of the review of Future Transport 2056, to delivering the freight-specific strategies currently in development and develop whole-of-cluster accountability for this work including timeframes, specific targets and clear roles and responsibilities
improve the collection and sharing of freight data
develop a plan to reduce avoidable freight delays
systematically collect data on the management of all delays involving and/or impacting rail-freight
develop and implement key performance indicators for the agreements between the transport agencies.

Fast facts

288 million tonnes of freight volume predicted to pass through Greater Sydney in 2036, up from 194 million in 2016 (an increase of 48%)
54 trucks that can be replaced by one 600 m long port shuttle freight train
26,671 freight trains that passed through the metropolitan shared rail network between 1 July 2020 and 30 June 2021

The movement of freight contributes $66.0 billion annually to the New South Wales economy — or 13 per cent of the Gross State Product. Two thirds of all freight in New South Wales moves through Greater Sydney, and the volume of freight moving through Greater Sydney is expected to increase by 48 per cent by 2036. This increasing demand is driven by increasing population and economic growth.

The sequence of activities required to move goods from their point of origin to the eventual consumer (the supply chain) is what matters most to shippers and consumers. Road can provide a single-mode door-to-door service, whereas conveying goods by rail typically involves moving freight onto road at some point. In Greater Sydney, 80 per cent of all freight is moved on road. Freight often passes through intermodal terminals (IMTs) as it transitions from one mode of transport to the next.

In 2016, Transport for NSW (TfNSW) released Future Transport 2056 - the NSW Government's 40-year vision for transport in New South Wales, which is intended to guide investment over the longer term. In Future Transport 2056, TfNSW noted that New South Wales will struggle to meet increasing demand for freight movements unless rail plays a larger role in the movement of freight.

Sydney Trains manages the metropolitan shared rail network, which is made up of rail lines that are used by both passenger and freight trains. The Transport Administration Act 1988 requires that, for the purposes of network control and timetabling, NSW Government transport agencies give ‘reasonable priority’ to passenger trains on shared lines. As the Greater Sydney population and rail patronage continue to grow, so too will competition for access to the shared rail network. See Appendix two for details of the area encompassed by Greater Sydney.

Freight operators can also use dedicated rail freight lines operated by the Australian Rail Track Corporation (ARTC - an Australian Government statutory-owned corporation). As the metropolitan shared rail network connects with dedicated freight lines, freight operators often use both to complete a journey.

TfNSW, Sydney Trains and the Transport Asset Holding Entity (TAHE) work in conjunction with other rail infrastructure owners and private sector entities, including port operators, privately operated IMTs and freight-shipping companies. TfNSW and Sydney Trains are responsible for managing the movement of freight across the metropolitan shared rail network. TAHE is the owner of the rail infrastructure that makes up the metropolitan shared rail network. The NSW Government established TAHE, a NSW Government state-owned corporation, on 1 July 2020 to replace the former rail infrastructure owner - RailCorp. The Auditor-General for New South Wales has commenced a performance audit on TAHE which is expected to table in 2022.

On 1 July 2021, TAHE entered into new agreements with TfNSW and Sydney Trains to operate, manage and maintain the metropolitan shared rail network. Until 30 June 2021, and in accordance with TAHE's Implementation Deed, TAHE operated under the terms of RailCorp's existing arrangements and agreements.

This audit assessed the effectiveness of TfNSW, Sydney Trains and TAHE in improving the use of rail freight capacity in Greater Sydney, and to meet current and future freight demand.

The audit focused on:

the monitoring of access to shared rail lines
the management of avoidable delays of rail freight movements
steps to increase the use of rail freight capacity in Greater Sydney.

Conclusion

Transport agencies do not have clear strategies or targets in place to improve the freight efficiency or capacity of the metropolitan shared rail network. They also do not know how to make best use the rail network to achieve the efficient use of its rail freight capacity. These factors expose the risk that rail freight capacity will not meet anticipated increases in freight demand.

Future Transport 2056 notes that opportunities exist to shift more freight onto rail, and that making this change remains an important priority for the NSW Government. However, the transport agencies acknowledge that they do not have sufficient information to achieve the most efficient freight outcomes. In particular, transport agencies do not know how to use the shared rail network in a way that maximises freight capacity without compromising passenger rail services.

Neither Future Transport 2056 nor the Freight and Ports Plan 2018–2023 give any guidance on how transport agencies will improve the efficiency or capacity of the shared rail network. Other than a target for rail freight movements to and from Port Botany, which TfNSW's data indicates will not be met, there are no targets for improving rail freight capacity across the shared network. The lack of specific strategies, objectives and targets reduces accountability and makes it difficult for transport agencies to effectively improve the use of rail freight capacity in line with their commitment to do so.

Sydney Trains and Transport for NSW do not effectively use data to improve rail freight performance and capacity.

To drive performance improvement when planning for the future, transport agencies need good quality data on freight management and movements. Sydney Trains records data on train movements in real-time and collects some data on delays and incidents. TfNSW collects data for the construction of the Standard Working Timetable (SWTT) and third-party contracts. However, the different types of data gathered and the separation between the teams responsible mean that there is a lack of clarity around what data is gathered and who has ownership it. This lack of coordination prevents best use of the data to develop a single picture of how well the network is operating or how performance could be improved.

Sydney Trains' ability to evaluate the effectiveness of its incident and delay mitigation strategies is also limited by a lack of information on its management of rail-freight related delays or incidents. While Sydney Trains collects data on major incidents, it can only use this to conduct event-specific analysis on the causes of an incident, and to review the operational and management response. The use of complete and accurate incident data would assist to define, identify and reduce avoidable delays. Reducing avoidable delays is a goal of the Freight and Ports Plan 2018–2023. More complete data on all incidents would help TfNSW to have more effective performance discussions with rail freight operators to help improve performance.

TfNSW has started developing strategies to identify how it can use rail freight capacity to achieve efficient freight outcomes, but it has not committed to implementation timeframes for this work.

TfNSW’s Freight Branch has started work on four freight-specific strategies to improve freight efficiency: a review of the Plan, a freight rail strategy, a port efficiency strategy and a freight data strategy. However, none of these strategies will be fully developed before the end of 2022. TfNSW has not yet determined the implementation timeframes or intended outcomes of these strategies, although TfNSW reports that it is taking an iterative approach and some recommendations and initiatives will be developed during 2022.

Appendix one - Response from agencies

Appendix two - The Greater Sydney region

Appendix three - TfNSW strategic projects

Appendix four - Sydney Trains path priority principles

Appendix five - Sydney Trains delay management

Appendix six - About the audit

Appendix seven - Performance auditing

Copyright notice

Parliamentary reference - Report number #357 - released (19 October 2021).

23 September 2021

Published

Access to health services in custody

Health

Justice

Management and administration

Service delivery

What the report is about

This audit assessed whether adults in custody have effective access to health services. The audit examined the activities of Justice Health and Corrective Services NSW.

What we found

The majority of custodial patients receive timely health care, but a small proportion of patients are not receiving care within target timeframes.

Eleven per cent of scheduled health appointments are not attended, and agencies can do more to understand the reasons for non-attendance.

Demand for mental health care exceeds service capacity and some patients are held in environments not appropriate for their needs.

Justice Health's information systems do not support the effective transfer of medical records as patients move around the prison network.

Not all patients are released from custody with a discharge plan.

Justice Health's system managers do not receive sufficiently detailed reports to understand strategic risks or opportunities to improve access to health services.

Public and private prison health operators do not report against consistent performance measures.

Justice Health is mandated to assess health services in private prisons. This conflicts with its role as a contracted provider of health services in the private prison system.

What we recommended

Enhanced reporting on patient access to health services, to identify risks and challenges across key service areas.

Identification and implementation of the improvements required for information to be shared across the custodial network and with external health providers.

Development of a framework to govern and monitor costs for patient health escorts and movements.

Development of a framework to govern responsibilities for mental health services.

Progression of infrastructure plans that address the lack of specialist accommodation for mental health patients and aged and frail patients.

Collaboration to align the performance measures to enable benchmarking between public and private prison health services.

Action to remediate the conflicting monitoring arrangements of public and private prison health operators.

Fast facts

13,063 adults in the NSW prison population at 31 March 2021
31,750 unique adult patients provided with medical care in 2020
770,000 occasions of medical care provided by Justice Health in 2020
50% of all health treatment in prisons is provided to patients who receive immediate medical attention
60,000 appointments for health care in prisons were not attended in 2020
94,810 occasions of psychology service provided by Corrective Services in 2020

Access to health services in custody

This audit examined whether adults in the New South Wales public prison system have effective access to health services. In making this assessment, we considered whether Justice Health and Corrective Services NSW effectively cooperate and coordinate so that patients have timely access to health services, systems and practices support continuity of care, and access to health services is monitored and reviewed.

As part of this audit, we assessed actions undertaken by Justice Health and Corrective Services NSW in managing the first COVID-19 outbreak in 2020. However, due to the timing of this audit report, this audit does not report on the agencies’ response to managing the current outbreak of COVID-19 in September 2021.

Health services in New South Wales prisons are delivered by both public and private operators. The public prison system is made up of 33 correctional centres and the Long Bay Hospital. All health services in the public prison system are delivered by the Justice Health and Forensic Mental Health Network (Justice Health).

In the public prison system, Justice Health is responsible for the clinical care of patients with physical and mental illnesses. Clinicians provide health assessments, treatments, medication management, and some counselling services in prison health clinics. Patients are triaged by primary health nurses and if they require treatments or medication, they are referred to prison‑based doctors including specialists or other clinicians. Patients requiring complex or emergency care are transferred to hospitals or other specialty services outside the prison complex.

Private operators deliver health services in three private prisons through contract arrangements with Corrective Services NSW. Justice Health delivers health care at one correctional centre via a contract arrangement with Corrective Services NSW. In total, contracted health service operators deliver health care to approximately 25 per cent of the New South Wales prison population.

Justice Health is required by law to monitor the performance of contracted health service providers in New South Wales prisons, including services provided at the John Morony Correctional Centre. The Auditor‑General’s mandate does not permit a direct examination of information held by private sector entities, however this audit does assess the effectiveness of Justice Health's role in monitoring health services in private prisons.

Corrective Services NSW is responsible for security in public prisons, including the facilitation of patient access to health care at prison health clinics and the transfer of patients to hospitals and other health services outside of the prison environment. Corrective Services NSW also delivers behaviour‑based psychology services. Some are delivered as behaviour modification courses that aim to reduce criminal and offending activity amongst the prison population. These programs may be linked to parole or other custodial conditions. Other psychology services include counselling for people with self‑harming or suicidal behaviours.

Research from the Australian Institute of Health and Welfare indicates that people in custody are more likely than the general population to be affected by chronic and acute illnesses, including higher rates of mental illness and communicable diseases¹. In March 2021, there were 13,063 adults in custody in New South Wales.

The objective of this performance audit was to assess whether adults in the public prison system have effective access to health services. In making this assessment, we considered whether Justice Health and Corrective Services NSW effectively cooperate and coordinate so that:

patients have timely access to health services
systems and practices support the continuity of health care
access to health services is monitored, reviewed, and reported across the network.

¹The Australian Institute of Health and Welfare, Adult Prisoners Snapshot, 11 September 2019. At: https://www.aihw.gov.au/reports/australias-welfare/adult-prisoners.

Conclusion

Justice Health delivers timely health care to adult custodial patients who need routine medications and treatment for minor medical conditions. Justice Health also delivers timely care to patients requiring urgent medical attention, including emergency transfers to hospitals. However, Justice Health does not always meet recommended timeframes to deliver health care to patients who are waitlisted for treatment from doctors and other medical specialists, or for those waiting for assessments and prescriptions.

In 2020, Justice Health provided over 770,000 instances of medical care to adults in the New South Wales prison network. Approximately half of this health care was delivered on the spot, by nurses who dispensed routine medications or treated the minor medical ailments of 'walk‑in' patients.

Doctors, specialists, and nurse clinicians delivered the other half of prison health care via scheduled health appointments. In most cases, this health care was timely, except for a proportion of patients who were waiting for time‑critical treatments, prescriptions, or assessments. In 2020, 40 per cent of patients identified as 'Priority 1' did not receive care within the recommended three‑day timeframe. Patients waiting for these appointments constitute a small proportion of all health care delivered in 2020, at about one per cent of all health care. Nevertheless, the needs of Priority 1 patients are significant, and Justice Health does not know whether the prolonged wait times led to deteriorations in health outcomes, or other adverse outcomes.

Close to 1,000 patients required emergency treatment in 2020, and were transferred to hospitals as soon as their medical condition was identified by prison health staff.

Justice Health uses multiple information management systems that are not sufficiently linked to transfer all patient medical records and appointment information when patients are moved across the prison system. Appointment schedules and patient medications are transferred through manual processes. There is also limited information sharing with community health providers when custodial patients enter or leave custody.

Justice Health has multiple and parallel information systems, including paper‑based medical records. These systems are not effective for information sharing across the prison system as patients are moved between prisons and facilities at frequent intervals. Clinical staff are not always alerted when a patient is moved from one prison to another, or released from custody after a court appearance. This impacts on the effective scheduling and management of prison health appointments, and the exchange of patient health records across the prison network.

Justice Health's information systems and protocols also do not support the effective exchange of information with external health providers. The transfer of health information is a manual process and there can be significant delays in providing or receiving information from community health providers when custodial patients enter prisons or are released.

Corrective Services NSW and Justice Health executives do not receive sufficiently detailed information or reports to understand the impediments to health service accessibility and to enable system improvements. There is also limited joint planning between the two agencies to improve patient access to health care. The governance and monitoring arrangements for public and private prison health services are flawed and create a conflict of interest for Justice Health as both a service provider and a system monitor.

Justice Health's data dashboard assists managers and clinicians to understand and manage the wait times for health appointments at the prison service level. However, reporting to senior executives on wait times for health services is insufficiently detailed to indicate risks or opportunities for strategic improvement. Corrective Services NSW does not produce sufficiently detailed reports on the costs of transferring custodial patients to health appointments outside the prison network to improve efficiencies or understand trends over time.

There is not enough system‑level planning between Corrective Services NSW and Justice Health to optimise patient attendance at health appointments. Greater collaboration is needed to improve appointment scheduling through notifications about patient movements across the prison network.

There are limitations in the performance monitoring of public and private prison health services. It is not possible to benchmark or compare public and private prison health services and outcomes because the two systems do not report against common Key Performance Indicators.

While Justice Health has taken steps to maintain independence and transparency in its legislated role as assessor of health services in private prisons, there is an inherent conflict of interest in this monitoring role, as Justice Health is also a contracted provider of health services in the private prison system.

1. Key findings

The majority of custodial patients receive timely health care, but a small proportion of patients with priority appointments are not receiving care within target timeframes

Approximately half of all health care provided by Justice Health is immediate. It is delivered to 'walk‑in' patients as soon as they present at prison health clinics. Most of these patients are receiving daily medications, while a small proportion require urgent or immediate care for injuries or illnesses. The other half of prison health care is delivered via scheduled appointments. Patients waiting for health appointments are given a priority rating according to the time within which they should be seen by a clinician.

Patients requiring the most time‑critical care are given a Priority 1 rating. These patients should receive treatment within one to three days. In December 2020, the average wait time for Priority 1 treatment was five and a half days, almost double the target. This is an improvement on wait times in June 2019, when the average wait time was just over 13 days. Justice Health does not assess or measure the impacts of delayed care on these patients.

According to Justice Health, the high numbers of ‘walk‑ins’ contribute to increased wait times for medical appointments. In addition, some specialty health clinics operate weekly, which means that patients cannot be seen by specialists within a one to three‑day timeline. Security events such as prison lockdowns can also contribute to increased wait times, as they limit the access that patients have to prison health clinics during out‑of‑cell hours.

If patients need emergency medical treatment, they are transferred to hospitals in line with Justice Health's policy. In 2020, just over 1,000 patients were transferred to hospital for emergency medical care.

A significant proportion of prison health appointments are not attended, and not enough is being done to understand the reasons, or to improve attendance rates

In 2020, 11 per cent of all scheduled health appointments in prison clinics were not attended. This amounts to approximately 60,000 appointments over the year. Non‑attended appointments have flow‑on impacts on wait times and backlogs for scheduled health appointments. Understanding why they occur is necessary to improve efficiencies in scheduling and patient access to health services.

In 2020, the most common reason for non‑attended health appointments was: 'patient unable to attend'. Justice Health clinicians use this when patients do not arrive at the prison health clinic at the scheduled time, and clinicians lack any other information to explain the non‑attendance.

The second most common recorded reason for non‑attended appointments was: 'cancelled by Corrective Services NSW'. These cancellations are due to operational or security reasons, including prison lockdowns. Data from Justice Health indicates that in 2020, there were an average of 12 lockdowns per week across New South Wales prisons.

A range of factors can impact on patient attendance at appointments, some of which are unavoidable. That said, more can be done to understand and reduce non‑attendance. For example, there is potential for Corrective Services NSW to implement tighter protocols to update information about patient availability on the daily movement lists. This might include checking whether patients are willing to attend appointments. Similarly, there is potential for Justice Health clinicians to implement tighter protocols to check patient lists ahead of scheduled appointments, and to re‑schedule appointments where patients are unavailable.

Demand for mental health care exceeds service capacity and some patients are held in environments that are not appropriate for their needs

There is a high demand for mental health services in New South Wales prisons. In March 2021, at least 143 mental health patients were waiting for access to an acute or sub‑acute mental health unit across the New South Wales prison system. The average wait time for a mental health facility was 43 days. Seventeen patients had wait times of over 100 days. Patients waiting for sub‑acute mental health services had longer wait times than those waiting for acute mental health services.

There are limited mental health beds for women across the New South Wales prison network. There are ten allocated beds for women at the Mental Health Screening Unit at Silverwater Correctional Complex, and no allocated beds for women at Long Bay Hospital.

A lack of bed availability in the Forensic Hospital means that, as of February 2021, 63 forensic patients were being held in mental health facilities in mainstream prisons, when they should have been accommodated in the Forensic Hospital. Some of these forensic patients have been held in mainstream prison facilities for decades.

Cross‑agency co‑operation and planning is required to identify and build infrastructure that will reduce wait times for mental health beds. Over several years, Justice Health has developed, reviewed, and worked to progress a strategic plan for NSW Forensic Mental Health that includes enhanced mental health bed capacity across the NSW system. The latest version of this strategic plan remains in draft and has yet to be approved by the NSW Ministry of Health.

In 2016, Corrective Services NSW commenced a Prison Bed Capacity Program. It was focussed on enhancing capacity across the prison system and did not include specialist health beds. More recently, Corrective Services NSW has been developing a business case to improve the provision of specialist health care facilities across the network, including mental health facilities.

Justice Health's clinical information systems do not support the effective transfer of health appointments or medication records as patients are moved to new prison locations

Justice Health's clinical information systems are multiple and complex. There are five health information systems that include a mix of electronic and paper‑based records. Information management systems contain clinical records, appointment information, medication records, dental records, and specialist health information. Corrective Services NSW maintain separate information systems relating to prison records and psychology treatment information.

The transfer of people across different correctional centres is a frequent occurrence. In 2020, there were over 41,000 movements between correctional centres. People are transferred for a range of reasons including for security purposes, or to be located closer to hospitals or specialist health services.

Justice Health receives a list of patient transfers one day prior to transfer. Nurses are required to prepare medications and clinical handovers for patients with complex health conditions. These handovers are verbal, however short timeframes mean that handover is not always possible.

While each patient's electronic health records are available across the network, transfer of appointment waitlists must be done manually. There is no automatic alert within the information systems to tell staff that a patient has been moved to another prison. There is a risk that if appointment records are not manually updated, or if staff at destination clinics are not contacted, then appointments will be overlooked.

Justice Health is working with eHealth NSW to develop an improved Electronic Medication Management (EMM) program with expected delivery in late 2021. The EMM has potential to improve the transfer of patient medication records, but it will not fully remediate all inefficiencies of the current systems.

Corrective Services NSW and Justice Health do not engage in sufficient joint planning to improve efficiencies in transports or escorts to health services

Corrective Services NSW and Justice Health do not engage in joint system‑level planning to mitigate the risks and the costs associated with transferring patients to health clinics in prisons, or non‑prison‑based health care. There are no protocols, and limited sharing of information to improve efficiencies in planning and coordinating patient transfers.

Corrective Services NSW does not collate or report on the costs of transporting patients to hospitals and specialist care. While there is data on the overall cost of medical escorts, estimated to be $19.9 million in 2020, Corrective Services NSW is not able to disaggregate this data to determine the reasons for transfers or the system‑level costs. For example, Corrective Services NSW does not know how many prison lockdowns occur when hospital transfers are required.

Medical escorts to specialist health services and hospitals increase the costs to the prison system and contribute to risks in prison management. Medical escorts contributed to 16 per cent of metropolitan prison lockdowns at the peak in 2018, though escort numbers have since been declining. Some Local Health Districts report significant concerns around safety incidents and assaults on staff during medical escorts to hospital.

Corrective Services NSW does not know if transport costs have increased since the 2016 Prison Bed Capacity Program which expanded prison beds in regional New South Wales. To date, there has been no assessment of the cost of taking patients to tertiary hospitals or specialist services. Corrective Services NSW has identified this as an area for improvement.

Justice Health's system managers do not receive sufficiently detailed reports on wait times for health care, to understand strategic risks or opportunities for system improvement

Justice Health's senior executives receive monthly reports on patient wait times for services in prison health clinics. These reports contain headline data about the numbers of days that patients wait for scheduled health appointments by their allocated priority level. Wait time data are averaged across all New South Wales prison health clinics. With some exceptions, almost all executive level reports describe system‑wide appointment wait times without offering further specific detail. For example, there is limited information which would allow managers to understand the performance of specialty health groups, or to make any comparative analysis of the performance of different prison facilities.

Executive reports are also not detailed enough to indicate whether prisons with particular security classifications offer greater or lesser access to health services. It is not possible to assess whether patients in metropolitan or regional prisons have different levels of health service access. This prevents managers from identifying strategic risks across the prison network, targeting resources to the areas of greatest risk, and making strategic improvements in system performance.

Trend data on wait times for the different health specialty areas is also required to enable senior managers to compare wait times across prison facilities, security classifications, and localities.

In response to the preliminary findings of this audit, Justice Health has made some improvements to its executive‑level wait time reports. This includes additional detail on health appointment wait times by prison facilities and wait times by health specialty areas.

It is not possible to compare or benchmark the performance of public and private prison health operators or to compare prison health against community health standards

It is not possible to compare or benchmark the performance of the public and private prison health operators in New South Wales using the current Key Performance Indicator (KPI) data. KPI data do not correlate across the public and private systems.

Justice Health reports to the Ministry of Health on 44 prison health KPIs. The 44 KPIs for the public prison system do not align with the seven KPIs the private health operators report against in their contracts with Corrective Services NSW. This means that public and private operators focus on different service areas. For example, private operators have a performance measure for ensuring that custodial patients are provided with release plans. Justice Health does not have a similar measure.

The KPI specifications for the private prison health system were developed by Corrective Services NSW with input from the Ministry of Health. The KPI specifications for the public prison health system were developed by the Ministry of Health in collaboration with Justice Health. There is no rationale for the difference in performance indicators across the public and private systems.

Private providers currently deliver prison services to 25 per cent of the prison population of New South Wales. This proportion has been increasing since 2016. Public and private health operators deliver comparable health services so there is scope to compare performance across the systems.

Justice Health aligns its standard for prison health services with a 'community’ standard of health care access. However, with existing health monitoring measures, it is not possible to assess how well Justice Health is tracking against community health standards with available data from most health specialties.

There is an inherent conflict of interest in Justice Health's monitoring role of health services in private prisons, as Justice Health is also a provider of health services in a private prison

There is a legislated requirement for Justice Health to monitor the performance of private health operators in New South Wales prisons. This monitoring role is described in the Crimes (Administration of Sentences) Act 1999.

Justice Health's monitoring role includes the collection and analysis of health performance data from private health operators, and periodic site visits to assess health service performance. Justice Health reports the findings of monitoring activities to Corrective Services NSW, the contract manager for private prisons.

Justice Health's monitoring role commenced in the late 1990s. In recent years, this role has expanded as the NSW Government has increased the number of privately managed prisons across the state. Justice Health now monitors health services in four private prisons, accounting for approximately one quarter of all custodial patients in the New South Wales prison system.

In 2018, Justice Health was awarded a contract to provide health services at the John Morony Correctional Centre. Justice Health also monitors the health services this Correctional Centre. The timing of the 1999 legislation did not anticipate that Justice Health would be a provider of the services it is required to monitor.

Justice Health has taken steps to maintain independence and transparency in its monitoring role by establishing a number of arms‑length governance arrangements. Justice Health set up a Commissioning Unit that operates independently from its service delivery operations. Justice Health also established an alternative reporting chain via a Board subcommittee to oversee the performance of health providers in private prisons.

Despite all actions to establish independence, the monitoring role confers dual responsibilities on the Chief Executive of Justice Health as both an operational manager of health services in a private prison and as a manager responsible for monitoring these same services. As a result, the Chief Executive of Justice Health has access to information about the overall performance of the private prison health system in New South Wales.

As a competitor for the provision of health services in privately operated prisons, Justice Health has access to information to which other private health providers do not. This potentially gives Justice Health a competitive advantage over other private health operators.

2. Recommendations

By December 2022, Justice Health should:

1. enhance reporting on patient access to health services to ensure that system managers can identify risks, challenges, and system improvements across key areas of its service profile

2. in collaboration with the NSW Ministry of Health, identify and implement the required improvements to its health information management systems that will enable effective transfers of patient clinical records and appointment information across the custodial network and with external health providers.

By December 2022, Justice Health and Corrective Services NSW should:

3. develop a joint framework to govern and monitor the costs of their common and connected responsibilities for patient health movements across the prison network and to external health services

4. develop a joint framework to govern their common and connected responsibilities for mental health services.

By December 2022, Justice Health and Corrective Services NSW, in collaboration with the NSW Ministry of Health, should:

5. progress infrastructure plans and projects that address the lack of specialist accommodation for mental health patients and aged and frail patients

6. standardise and align the key performance indicators that monitor the performance of health operators in public and private prisons so that system‑wide benchmarking is possible.

By December 2022, the NSW Ministry of Health should:

7. take action to remediate the conflicting monitoring arrangements of public and private prison health operators.

Appendix one – Response from agencies

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

Parliamentary reference - Report number #356 - released (23 September 2021).

7 September 2021

Published

Managing climate risks to assets and services

Planning

Environment

Treasury

Industry

Infrastructure

Management and administration

Risk

Service delivery

What the report is about

This report assessed how effectively the Department of Planning, Industry and Environment (DPIE) and NSW Treasury have supported state agencies to manage climate risks to their assets and services.

Climate risks that can impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. Impacts can include damage to transport, communications and energy infrastructure, increases in hospital admissions, and making social housing or school buildings unsuitable.

NSW Treasury estimates these risks could have significant costs.

What we found

DPIE and NSW Treasury’s support to agencies to manage climate risks to their assets and services has been insufficient.

In 2021, key agencies with critical assets and services have not conducted climate risk assessments, and most lack adaptation plans.

DPIE has not delivered on the NSW Government commitment to develop a state-wide climate change adaptation action plan. This was to be complete in 2017.

There is also no adaptation strategy for the state. These have been released in all other Australian jurisdictions. The NSW Government’s draft strategic plan for its Climate Change Fund was also never finalised.

DPIE’s approach to developing climate projections is robust, but it hasn’t effectively educated agencies in how to use this information to assess climate risk.

NSW Treasury did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019.

In March 2021, DPIE and NSW Treasury released the Climate Risk Ready NSW Guide and Course. These are designed to improve support to agencies.

What we recommended

DPIE and NSW Treasury should, in partnership:

enhance the coordination of climate risk management across agencies
implement climate risk management across their clusters.

DPIE should:

update information and strengthen education to agencies, and monitor progress
review relevant land-use planning, development and building guidance
deliver a climate change adaptation action plan for the state.

NSW Treasury should:

strengthen climate risk-related guidance to agencies
coordinate guidance on resilience in infrastructure planning
review how climate risks have been assured in agencies’ asset management plans.

Fast facts

4 years

between commitments in the NSW Climate Change Policy Framework, and DPIE and NSW Treasury producing key supports to agencies for climate risk management.

$120bn

Value of physical assets held by nine NSW Government entities we examined that have not completed climate risk assessments.

Low capability to do climate risk assessment has been found across state agencies. The total value of NSW Government physical assets is $365 billion, as at 30 June 2020.

x3

NSW Treasury’s estimates of the annual fiscal and economic costs associated with natural disasters will triple by 2060–61.

According to the Intergovernmental Panel on Climate Change in 2021, each of the last four decades has been successively warmer and surface temperatures will continue to increase until at least the mid-century. The Commonwealth Scientific and Industrial Research Organisation (CSIRO) and the Bureau of Meteorology (BoM) have reported that extreme weather across Australia is more frequent and intense, and there have been longer-term changes to weather patterns. They also report sea levels are rising around Australia increasing the risk of inundation and damage to coastal infrastructure and communities.

According to the Department of Planning, Industry and Environment (the department), in New South Wales the impacts of a changing climate, and the risks associated with it, will be felt differently across regions, populations and economic sectors. The department's climate projections indicate the number of hot days will increase, rainfall will vary across the state, and the number of severe fire days will increase.

The NSW Government is a provider of essential services, such as health care, education and public transport. It also owns and manages around $365 billion in physical assets (as at June 2020). More than $180 billion of its assets are in major infrastructure such as roads and railway lines.

In NSW, climate risks that could directly impact on state agencies' assets and services include flooding, bushfires, and extreme temperatures. In recent years, natural hazards exacerbated by climate change have damaged and disrupted government transport, communications and energy infrastructure. As climate risks eventuate, they can also increase hospital admissions when people are affected by poorer air quality, and make social housing dwellings or schools unsafe and unusable during heatwaves. The physical impacts of a changing climate also have significant financial costs. Taking into account projected economic growth, NSW Treasury has estimated that the fiscal and economic costs associated with natural disasters due to climate change will more than triple per year by 2061.

The department and NSW Treasury advise that leading practice in climate risk management includes a process that explicitly identifies climate risks and integrates these into existing risk management, monitoring and reporting systems. This is in line with international risk management and climate adaptation standards. For agencies to manage the physical risks of climate change to their assets and services, leading practice identified by the department means that they need to:

use robust climate projection information to understand the potential climate impacts
undertake sound climate risk assessments, within an enterprise risk management framework
implement adaptation plans that reduce these risks, and harness opportunities.

Adaptation responses that could be planned for include: controlling development in flood-prone locations; ensuring demand for health services can be met during heatwaves; improving thermal comfort in schools to support student engagement; proactive asset maintenance to reduce disruption of essential services, and safeguarding infrastructure from more frequent and intense natural disasters.

According to NSW Treasury policy, agencies are individually responsible for risk management systems appropriate to their context. The department and NSW Treasury have key roles in ensuring that agencies are supported with robust information and timely, relevant guidance to help manage risks to assets and services effectively, especially for emerging risks that require coordinated responses, such as those posed by climate change.

This audit assessed whether the department and NSW Treasury are effectively supporting NSW Government agencies to manage climate risks to their assets and services. It focused on the management of physical risks to assets and services associated with climate change.

Conclusion

The Department of Planning, Industry and Environment (the department) has made climate projections available to agencies since 2014, but provided limited guidance to assist agencies to identify and manage climate risks. NSW Treasury first noted climate change as a contextual factor in its 2012 guidance on risk management. NSW Treasury only clarified requirements for agencies to integrate climate considerations into their risk management processes in December 2020.

The department has not delivered on a NSW Government commitment for a state-wide climate change adaptation action plan, which was meant to be completed in 2017. Currently many state agencies that own or manage assets and provide services do not have climate risk management in place.

Since 2019, the department and NSW Treasury have worked in partnership to develop a coordinated approach to supporting agencies to manage these risks. This includes guidance to agencies on climate risk assessment and adaptation planning published in 2021.

More work is needed to embed, sustain and lead effective climate risk management across the NSW public sector, especially for the state's critical infrastructure and essential services that may be exposed to climate change impacts.

The NSW Government set directions in the 2016 NSW Climate Change Policy Framework to 'manage the impact of climate change on its assets and services by embedding climate change considerations into asset and risk management’ and more broadly into 'government decision-making'.

The department released climate projections and has made information on projected climate change impacts available since 2014, but this has not been effectively communicated to agencies. The absence of a state-wide climate change adaptation action plan has limited the department's implementation of a coordinated, well-communicated program of support to agencies for their climate risk management.

NSW Treasury is responsible for managing the state's finances and providing stewardship to the public sector on financial and risk management, but it did not consistently apply dedicated resourcing to support agencies' climate risk management until late 2019. NSW Treasury estimates the financial costs of climate-related physical risks are significant and will continue to grow.

The partnership between the department and NSW Treasury has produced the 2021 Climate Risk Ready NSW Guide and Course, which aim to help agencies understand their exposure to climate risks and develop adaptation responses. The Guide maps out a process for climate risk assessment and adaptation planning and is referenced in NSW Treasury policy on internal audit and risk management. It is also referenced in NSW Treasury guidance to agencies on how to reflect the effects of climate-related matters in financial statements.

There is more work to be done by the department on maintaining robust, accessible climate information and educating agencies in its use. NSW Treasury will need to continue to update its policies, guidance and economic analyses with relevant climate considerations to support an informed, coordinated approach to managing physical climate risks to agencies' assets and services, and to the state's finances more broadly.

The effectiveness of the department and NSW Treasury's support involves the proactive and sustained take-up of climate risk management by state agencies. There is a key role for the department and NSW Treasury in monitoring this progress and its results.

Prior to 2021, support provided by the Department of Planning, Industry and Environment (the department) to agencies for managing physical climate risks to their assets and services has been limited. NSW Treasury has a stewardship role in public sector performance, including risk management, but has not had a defined role in working with the department on climate risk matters until mid-2019. The low capacity of agencies to undertake this work has been known to NSW Government through agency surveys by the department in 2015 and by the department and NSW Treasury in 2018.

The support delivered to agencies around climate risk management, including risk assessment and adaptation planning, has been slow to start and of limited impact. The department's capacity to implement a coordinated approach to supporting agencies has also been limited by the absence of a state-wide adaptation strategy and related action plan.

In 2021, products were released by the department and NSW Treasury with potential to improve support to agencies on climate risk assessment and adaption planning (that this, Climate Risk Ready NSW Guide and Course, which provides links to key NSW Treasury polices). The department and NSW Treasury are now leading work to develop a more coordinated approach to climate risk management for agencies' assets and services, and building the resilience of the state to climate risk more broadly.

Climate projections are a key means of understanding the potential impacts of climate change, which is an important step in the climate risk assessment process. The Department of Planning, Industry and Environment (the department) used a robust approach to develop its climate projections (NARCliM). The full version of NARCliM (v1.0) is based on 2007 models¹¹ and while still relevant, this has limited its perceived usefulness and uptake. The process of updating these projections requires significant resourcing. The department has made recent updates to enhance the currency and usefulness of its climate projections. NARCliM (v2.0) should be available in 2022.

While climate projections have been available to agencies and the community more broadly since 2013–14, the department has not been effective in educating the relevant data users within agencies in how to use the information for climate risk assessments and adaptation planning.

The absence of a strategy focused on this is significant and has contributed to the current low levels of climate risk assessment uptake across agencies (see section 2). Agencies are required to use the climate projections developed by the department when developing long term plans and strategies as part of the NSW Government Common Planning Assumptions.

¹¹The department advises the 2007 global climate models were released to users by the Intergovernmental Panel on Climate Change in 2010.

It is too soon to determine the impact of the 2021 Climate Risk Ready NSW (CRR) Guide and Course, produced by the Department of Planning, Industry and Environment (the department) and NSW Treasury. But there are opportunities for these agencies to progress these developments in partnership: especially with the establishment of senior executive steering and oversight committees related to climate risk.

For the department, key opportunities to embed climate risk management include leveraging land use planning policies and guidance to drive adaptation, which has potential to better protect the state's assets and services. NSW Treasury has a role in continuing to update its policies, guidance and economic analyses with relevant climate change considerations to support an informed, coordinated approach to addressing physical climate risks to agencies' assets and services, and to the state's finances more broadly.

There is currently no plan on how the department and NSW Treasury intend to routinely monitor the progress of agencies with implementing the CRR Guide or developing climate risk 'maturity' more broadly. As agencies are responsible for implementing risk management systems that meet NSW Treasury standards, which now clearly includes consideration of climate risk (TPP20-08), establishing effective monitoring, reporting and accountability around this progress should be a priority for the department and NSW Treasury.

Appendix one – Response from agencies

Appendix two – Timeline of key activities

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

Parliamentary reference - Report number #355 - released (7 September 2021).

27 July 2021

Published

Fast-tracked Assessment Program

Planning

Industry

Environment

Compliance

Internal controls and governance

Management and administration

Service delivery

What the report is about

This report examines the effectiveness of the Fast-tracked Assessment Program, administered by the Department of Planning, Industry and Environment (DPIE) between April 2020 and October 2020.

The program aimed to support the construction industry during the COVID-19 crisis by accelerating the final assessment stages for planning proposals and development applications.

DPIE selected projects and planning proposals for fast tracked assessment that demonstrated the potential to:

deliver jobs
progress to the next stage of development within six months of determination
deliver public benefit.

The audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls.

What we found

Through tranches three to six of the program, DPIE successfully accelerated the final stages of 53 assessments. DPIE reported that 89 per cent of these proceeded to the next stage of development within six months.

Assessment of projects and planning proposals was compliant with legislation and other requirements. However, the audit found gaps in DPIE's management of conflicts of interest.

DPIE has not evaluated or costed the program and is not able to demonstrate the extent to which it provided support to the construction industry during COVID-19.

Aspects of the program have been incorporated into longer term reforms to create a new level of transparency over the progress and status of planning assessments.

What we recommended

DPIE should:

strengthen controls over conflicts of interest
evaluate the Fast-tracked Assessment Program.

Fast facts

Construction industry support

The program aimed at providing immediate support to the construction industry during the COVID-19 crisis

59 fast-tracked projects

59 projects and 42 planning proposals projects were assessed in six tranches

89% of all fast-tracked assessments in tranches three to six progressed to the next stage of the planning process within six months of determination

In April 2020, the Department of Planning, Industry and Environment (DPIE) introduced programs aimed at providing immediate support to the construction industry during the COVID-19 crisis. One of these was the Fast-tracked Assessment Program. This program identified planning proposals and development applications (DAs), across six tranches, that were partially-assessed and could be accelerated to determination.

In accordance with the program objectives, the planning proposals and DAs selected for fast-tracked assessment had to:

deliver jobs – particularly in the construction industry
be capable of progressing to the next stage of development within six months of determination
deliver public benefit.

At the same time, the Fast-tracked Assessment Program was to lay a foundation for future reform of the planning system by piloting changes in the assessment process that could be adopted in the medium to long term.

This audit assessed whether the Fast-tracked Assessment Program achieved its objectives while complying with planning controls. The audit focused on tranches three to six of the program, which were determined between July 2020 and October 2020. The rationale for focusing on these four tranches was that the program design had been slightly modified after the first two tranches to address identified risks.

Conclusion

Through tranches three to six of the Fast-tracked Assessment Program, DPIE successfully accelerated the final stages of 53 assessments. DPIE’s internal monitoring indicates that 31 DAs and 16 planning proposals selected in these tranches proceeded to the next stage of development within six months of determination. DPIE achieved this while also successfully managing the risk of non-compliance with planning controls arising from the accelerated process. While DPIE has incorporated components of the Fast-tracked Assessment Program into other longer-term reforms, it has not evaluated the program and is not able to demonstrate the extent to which the program provided support to the construction industry during COVID-19.

Between April and October 2020, DPIE adopted a case management approach to accelerate the final stages of assessment for 42 planning proposals and 59 DAs in six tranches. Tranches three to six were the focus of this audit and included 22 planning proposals and 31 DAs. Applicants involved in the program were expected to progress their projects to the next stage of development within six months of determination. While DPIE had no way of compelling applicants to do this and relied on non-binding commitments obtained from applicants, DPIE’s internal monitoring indicates that 47 of the 53 applicants selected in tranches three to six honoured this commitment.

Fast-tracked assessment only applied to the final stages of assessment and required DPIE staff and other stakeholders to work towards a determination deadline. DPIE effectively used a case management approach to manage the risk that the accelerated timeframe could result in planning controls not being fully compliant with legislation. There is some room for improvement in the process, as four of 28 staff assessing planning proposals and DAs had not lodged current conflict of interest declarations.

Based on the results of and learnings from the Fast-tracked Assessment Program, DPIE has incorporated some elements of the program into other longer-term reforms. There is now increased transparency about when applicants can expect to receive a planning determination and DPIE has also introduced a case management approach for strategic and high priority planning applications. Applicants benefiting from case-managed assessment are now required to commit to a formal service charter that specifies the obligations of both DPIE and the applicant.

DPIE has not evaluated the Fast-tracked Assessment Program to understand the costs and benefits of the program, nor which aspects of the program were most effective as a basis for future reform.

Appendix one – Response from agency

Appendix two – Planning determination pathways

Appendix three – About the audit

Appendix four – Performance auditing

Parliamentary reference - Report number #354 - released (27 July 2021).

13 July 2021

Published

Managing cyber risks

Whole of Government

Transport

Cyber security

Information technology

Internal controls and governance

Procurement

Risk

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’.

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP).

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

develop and implement a plan to uplift the Essential 8 controls to the agency's target state
as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
ensure cyber security risk reporting to executives and the Audit and Risk Committee
collect supporting information for the CSP self assessments
classify all information and systems according to importance and integrate this with the crown jewels identification process
require more rigorous analysis to re-prioritise CDP funding
increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

clarify the requirement for the CSP reporting to apply to all systems
require agencies to report the target level of maturity for each mandatory requirement.

Fast facts

$42m Total value of the Transport Cyber Defence Rolling Program over three years.
7.2% Percentage of staff across the Transport cluster who had completed introductory cyber security training

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

Are agencies effectively identifying and planning for their cyber security risks?
Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Conclusion

Transport for NSW and Sydney Trains are not effectively managing their cyber security risks. Significant weaknesses exist in their cyber security controls, and both agencies have assessed that their cyber risks are unacceptably high. Neither agency has reached its Essential 8 or Cyber Security Policy target levels. This low Essential 8 maturity exposes both agencies to significant risk. Both agencies are implementing cyber security plans to address identified cyber security risks.

This audit identified other weaknesses, such as low numbers of staff receiving basic cyber security awareness training. Cyber security training is important for building and supporting a cyber security culture. Not all of the weaknesses identified in this audit had previously been identified by the agencies, indicating that their cyber security risk identification is only partially effective.

Agency executives do not receive regular detailed information about cyber risks and how they are being managed, such as information on mitigations in place and the effectiveness of controls for cyber risk. As a result, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of executive decision-making.

TfNSW and Sydney Trains are partially effective at identifying their cyber security risks and both agencies have cyber security plans in place

Both agencies regularly carry out risk assessments and have identified key cyber security risks, including risks that impact on the agencies' crown jewels. These risks have been incorporated into the overall enterprise risk process. However, neither agency regularly reports detailed cyber risk information to agency executives to adequately inform them about cyber risk. The Cyber Security Policy (CSP) requires agencies to foster a culture where cyber security risk management is an important and valued aspect of decision-making. By not informing agency executives in this way, TfNSW and Sydney Trains are not fulfilling this requirement.

Agencies' cyber security risk assessment processes are not sufficiently comprehensive to identify all potential risks. Not all of the weaknesses identified in this audit had previously been identified by the agencies.

To address identified cyber security risks, both agencies have received funding approval to implement cyber security plans. TfNSW first received approval for its cyber security plan in 2017. Sydney Trains received approval for its cyber security plan in February 2020. In 2020–21 TfNSW and Sydney Trains combined their plans into the Transport Cyber Defence Rolling Program business case valued at $42.0 million over three years. This is governed as part of a broader Cyber Defence Portfolio (CDP). The CDP largely takes a risk-based approach to annual funding. The Cyber Defence Portfolio Steering Committee and Board can re-allocate funds from an approved project to a different project. This re-allocation process could be improved by making it more risk-based.

TfNSW and Sydney Trains are not effectively managing their cyber security risks

Neither agency has fully mitigated its cyber security risks. These risks are significant. Neither TfNSW nor Sydney Trains have reduced their cyber risk to levels acceptable to the agencies. Both agencies have set a risk tolerance for cyber security risks, and the identified enterprise-level cyber security risks remain above this rating. Both agencies' self-attested maturity against the Essential 8 remains low in comparison to the agencies' target levels, and in relation to the significant risks and vulnerabilities that are exposed. Little progress was made against the Essential 8 in 2020.

Neither agency has reached its target levels of maturity for the CSP mandatory requirements. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles. The Transport Cyber Defence Rolling Program has a KPI to achieve a target rating of three for all CSP requirements where business appropriate. TfNSW considers this target rating to be its target for all the CSP requirements. However TfNSW has not undertaken analysis to determine whether this target is appropriate to its business.

The CSP makes agencies accountable for the cyber risks of their ICT service providers. While both agencies usually included their cyber security expectations in contracts with third-party suppliers, neither agency was routinely conducting audits to ensure that these expectations were being met.

The CSP requires agencies to make staff aware of cyber security risks and deliver cyber security training. TfNSW is responsible for delivering cyber security training across the Transport cluster, including in Sydney Trains. TfNSW was not effectively delivering cyber security training across the cluster because training was not mandatory for all staff at the time of the audit and completion rates among those staff assigned the training was low. As such, only 7.2 per cent of staff across the Transport cluster had completed introductory cyber security training as at January 2021.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Exhibit 7 - Spot the Scammer exercise
In both 2019 and 2020, TfNSW performed a ‘Spot the Scammer’ exercise in which they sent out over 25,000 emails to staff based on a real phishing attack in order to measure awareness and response. The exercise tested staff 'click through rate', the percentage of staff who clicked on the fake phishing link. In 2019, these results were then compared to industry benchmarks, with over a 20 per cent click through rate being considered 'very high'. Both TfNSW and Sydney Trains were considered to have a ‘very high’ click through rate in comparison to these benchmarks in both 2019 and 2020. This indicates that staff awareness of phishing emails was low. The click through rate for TfNSW was 24 per cent in 2020, an increase from 22 per cent in 2019. For Sydney Trains, the click through rate in 2020 was 32 per cent, which was a decrease from 40 per cent in 2019.

Source: Audit Office analysis of TfNSW documents.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

Parliamentary reference - Report number #353 - released (13 July 2021).

Audit progress

Sector

Year

Report type

Topic

Reports

What the report is about

What we found

What we recommended

Fast facts

Section highlights

Section highlights

Findings reported to management

The number of findings reported to management has increased, and 37 per cent of all issues were repeat issues

2020–21 audits identified six high-risk findings

The number of moderate risk findings increased from prior year

Transport Asset Holding Entity of New South Wales

Background

Copyright notice

What the report is about

What we found

What we recommended

Fast facts

Conclusion

Banner image used with permission. Title: Forces of Nature Artist: Lee Hampton – Koori Kicks Art

Copyright notice

What the report is about

What we found

What we recommended

Fast facts

NSW Government's response to the risks posed by combustible external cladding

Commissioner for Fair Trading's building product use ban

Project Remediate

About this audit

Auditees

Terminology

Conclusion

Inspections of existing buildings and development of any subsequent action plans to address combustible external cladding are not activities covered by accreditation or registration schemes for building certifiers

Consent authorities determine whether individuals with accreditation are required for combustible cladding inspection, risk assessments and remediation on existing buildings

Certifier accreditation schemes do not cover cladding remediation work done under fire safety orders

Reforms impact on regulated experts doing work on new buildings

Copyright notice

What the report is about

What we found

What the key issues were

What we recommended

Fast facts

Section highlights

Section highlights

Copyright notice

What the report is about

What we found

What the key issues were

What we recommended

Fast facts

Section highlights

Section highlights

Findings reported to management

The number of findings reported to management has increased, with 47.4 per cent of all issues being repeat issues

Complexities arising from the COVID-19 response

The 2020–21 audit identified three new high-risk findings

Expected rate of recovery of outstanding Hotel Quarantine invoices

Procurement, management and impairment of COVID-19 inventories

Valuation and recognition of COVID-19 vaccines received from the Commonwealth Government

Emerging trends

Recognition of provisions without sufficient support

Treatment of Commonwealth funding

Key repeat issues

Management of excessive annual leave

Accurate time recording

Existence, completeness and accuracy of key agreements

Delivery of major capital projects

Cross border patient funding arrangements

Albury Base Hospital

Copyright notice

What the report is about

What we found

What we recommended

Fast facts

Conclusion

Banner image used with permission.
Title: Forces of Nature
Artist: Lee Hampton – Koori Kicks Art