Reports
Government's acquisition of private property: Sydney Metro project
What the report is about
Sydney Metro is Australia’s largest public transport project. It requires the acquisition of many private properties, including residential and business properties.
This audit assessed the effectiveness of the acquisition of private properties for the Sydney Metro project. The audited agencies were Sydney Metro, the Department of Planning and Environment (Valuer General NSW) and Transport for NSW (the Centre for Property Acquisition).
The audit assessed agencies against the framework for property acquisitions in New South Wales. It did not re-perform the valuations done for individual properties that were acquired by Sydney Metro.
What we found
Acquisitions of private property for the Sydney Metro project were mostly effective in the sample of acquisitions we assessed. We found Sydney Metro:
- complied with legislative and policy requirements for compensation and communication with people subject to property acquisitions
- kept accurate records of its acquisitions and applied probity controls consistently
- did not complete detailed plans or negotiation strategies for the high-risk and high-value acquisitions we reviewed
- did not comply with legislative timelines for most compulsory acquisitions because of delays in receiving the required information from the Valuer General in these cases.
The Centre for Property Acquisition has overseen the implementation of reforms to residential acquisition processes, but its assessment of the effectiveness of these reforms has not been comprehensive.
What we recommended
The audit made four recommendations to the audited agencies to improve:
- plans and strategies for the acquisition of high-risk and high-value properties
- timeliness of issuing compensation determinations for compulsory acquisitions
- data quality on the experience of people subject to property acquisitions.
The NSW Government has the power to acquire land that is owned or leased by individuals or businesses, if it is needed for a public purpose. The power arises from the Land Acquisition (Just Terms Compensation) Act 1991 (the Just Terms Act). Government agencies that have the power to compulsorily acquire private property are referred to as ‘acquiring authorities’. People who are subject to acquisitions are referred to as ‘affected parties’ and include property owners (business or residential), businesses with a commercial lease on a property, or individuals with residential tenancy leases. In recent years, the vast majority of acquisitions by the NSW Government have been for public transport or road projects.
Sydney Metro is a NSW Government agency with responsibility for building the Sydney Metro railway project. Sydney Metro is Australia’s largest public transport project. The project requires the acquisition of a large number of private properties. Sydney Metro has been one of the largest acquirers of private property in recent years, completing over 500 acquisitions between 2020 and mid-2022, with a total acquisition value of over $2 billion. Other agencies and statutory officers involved in the acquisition of property for the Sydney Metro project include:
- the Department of Planning and Environment (DPE), which supports the minister responsible for the Just Terms Act. DPE also provides staff to the Valuer General of NSW
- the Valuer General of NSW, an independent statutory officer that determines compensation in cases where the acquiring authority and the affected party cannot agree on compensation for property that has been acquired
- Transport for NSW, which includes the Centre for Property Acquisition (CPA). The CPA does not have a direct role in acquiring properties, but its responsibilities include developing guidance for acquiring agencies and monitoring and reporting on their activities.
About this audit
The objective of this audit was to assess the effectiveness of acquisitions of private properties for Sydney Metro projects. The audit assessed agencies against the legislative and policy requirements in place for government acquisitions of private property in New South Wales. In line with the Audit Office's legislative mandate, the audit does not comment on the merits of the policy objectives reflected in the Just Terms Act.
The audit examined a sample of 20 property acquisitions. This was not a statistically representative sample. While our report provides comments on Sydney Metro’s overall acquisition processes, it does not provide assurance regarding the acquisitions that were not examined for this audit.
The audit did not re-perform the valuations done for individual properties that were acquired by Sydney Metro. Affected parties who disagree with the valuation of their property have the right to seek independent assessment of this via the Valuer General and the Land and Environment Court.
Conclusion
Acquisitions of property for the Sydney Metro project were mostly effective in the sample of acquisitions we assessed. Sydney Metro followed requirements for communication with affected parties. Compensation processes were conducted in compliance with legislative requirements, but compensation determinations for compulsory acquisitions were not completed within legislated time frames due to delays in receiving these from the Valuer General. Governance and probity processes were followed consistently, with some relatively minor exceptions.
Sydney Metro has detailed guidelines for acquisitions that are based on relevant legislation and government policy. In the 20 acquisitions we assessed for this audit, these procedures were followed consistently. This included adhering to minimum timelines for negotiation periods, engaging independent valuers and other experts when needed, and complying with governance and probity processes.
Sydney Metro staff followed requirements for communication and support for residential acquisitions by assigning ‘personal managers’ and providing additional support to affected parties when needed. The Centre for Property Acquisition (CPA) has overseen reforms to the residential property acquisition process in recent years. These reforms include the introduction of the NSW Property Acquisition Standards and the use of personal managers, in addition to the existing acquisition managers, for residential acquisitions. However, the CPA has not assessed the impact of these changes on the experiences on people affected by property acquisitions.
Sydney Metro did not comply with the legislative requirement to provide a formal compensation notice to the affected party within 45 days of a compulsory acquisition starting in any of the eight relevant acquisitions in our sample. This was because Sydney Metro must wait for the Valuer General to complete a compensation determination before Sydney Metro can send the compensation notice, and the Valuer General did not do this within 45 days. We acknowledge that Sydney Metro does not have full control over this process, and that it has taken steps to mitigate the impact of delays on affected parties.
This chapter presents our findings on Sydney Metro's acquisition of industrial and commercial properties. Industrial properties include construction businesses and manufacturing facilities. Commercial properties were mostly properties such as shopping centres and office towers. Many of these acquisitions involve businesses and properties that are relatively complex and have high values. This means the valuation process can require multiple experts and can be lengthy and contested. Adherence to governance and probity requirements is important for these acquisitions in order to demonstrate that the acquiring authority has achieved value for money.
This chapter presents our findings on Sydney Metro's acquisition of residential properties, which include apartments and houses, and small business leases, which mostly affected businesses in small shopping centres or arcades. Most of these acquisitions were lower value compared to industrial and commercial property acquisitions and did not require as much expert advice on complex technical issues. However, residential property acquisitions can be personally distressing for the affected parties and require staff from the acquiring authority to provide support and show empathy while ensuring legislative compliance and value for money.
Appendix one – Responses from agencies
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #375 - released 9 February 2023
Cyber Security NSW: governance, roles, and responsibilities
What the report is about
Cyber Security NSW is part of the Department of Customer Service, and aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats.
This audit assessed the effectiveness of Cyber Security NSW's arrangements in contributing to the NSW Government's commitments under the NSW Cyber Security Strategy, in particular, increasing the NSW Government's cyber resiliency. The audit asked:
- Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
- Are Cyber Security NSW's roles and responsibilities defined and understood across the public sector?
What we found
Cyber Security NSW has a clear purpose that is in line with wider government policy and objectives. However, it does not clearly and consistently communicate its key objectives, with too few reliable and meaningful ways of measuring progress toward those objectives.
Cyber Security NSW does not provide adequate assurance of the cyber security maturity self assessments performed by NSW Government agencies. Department heads are accountable for ensuring their agency's compliance with NSW government policy.
Cyber Security NSW has a remit to assist local government to improve cyber resilience. However, it cannot mandate action and does not have a strategic approach guiding its efforts.
What we recommended
By 30 June 2023 the Department of Customer Service should:
- implement an approach that provides reasonable assurance that NSW government agencies are assessing and reporting their compliance with the NSW Government Cyber Security Policy in a manner that is consistent and accurate
- ensure that Cyber Security NSW has a strategic plan that clearly demonstrates how the functions and services provided by Cyber Security NSW contribute to meeting its purpose and achieving NSW government outcomes
- ensure that Cyber Security NSW has a detailed, complete and accessible catalogue of services available to agencies and councils
- develop a comprehensive engagement strategy and plan for the local government sector, including councils, government bodies, and other relevant stakeholders.
The NSW Cyber Security Strategy details a vision for ‘…NSW to become a world leader in cyber security, protecting, growing, and advancing our digital economy’. Cyber Security NSW, located within the Department of Customer Service, has lead responsibility for one of the four commitments in the strategy: to increase the NSW Government’s cyber resilience.
Cyber Security NSW ‘aims to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats’. It does not provide broader consumer-focused services.
In August 2020, the NSW Government approved a business case to enhance the funding and remit of Cyber Security NSW to include a broader range of services and functions. As a result, Cyber Security NSW is receiving $60 million in funding from 2020–21 to 2022–23, an increase from its previous funding of around $5 million per year (which had been sourced from contributions from each NSW Government department).
The objective of this performance audit was to assess the effectiveness of Cyber Security NSW’s arrangements in contributing to the NSW Government’s commitments under the NSW Cyber Security Strategy, in particular, to increase the NSW Government’s cyber resilience.
We assessed this objective through two lines of inquiry:
- Are internal planning and governance processes in place to support Cyber Security NSW meet its objectives?
- Are Cyber Security NSW roles and responsibilities defined and understood across the public sector?
The Audit Office of New South Wales has reported on the topic of cyber security previously. Most recently, the Internal Controls and Governance 2022 report included findings and recommendations relating to cyber security internal controls and governance at 25 of the largest agencies in the NSW public sector. While that report is multi-agency and sought to assess the level of cyber security attained in selected agencies, this current performance audit report focuses specifically on Cyber Security NSW and how well-equipped it is to meet its whole-of-government cyber security leadership and coordination roles.
ConclusionCyber Security NSW has a clear purpose that is aligned with wider government policy and objectives, but it cannot effectively demonstrate its progress toward improving cyber resilience Cyber Security NSW's high-level purpose is to support the NSW Government’s delivery of digitised services that are protected, connected, and trusted. This purpose is consistent with broader NSW Government and Australian Government policy and builds on the purpose of the previous NSW Office of the Government Chief Information Security Officer, which was itself informed by external research and previous Audit Office of New South Wales recommendations. In delivering its purpose, Cyber Security NSW provides a wide range of services to NSW government agencies and the local government sector. The majority of agencies and councils consulted during this audit reported that the services they received contributed to improving their individual cyber security. However, Cyber Security NSW does not clearly and consistently communicate its key objectives to ensure that its efforts are effectively and efficiently targeted, prioritised, planned, and reported. This is despite it receiving enhanced funding to expand the scope of services it provides. It currently has many sets of objectives across a range of sources, including the Cyber Security Strategy, business plans, corporate material, and public communications. It has too few reliable and meaningful ways of measuring progress toward its objectives, and no overall workplan or roadmap to show how the objectives will be achieved. Without a clear and consistent program logic, it is difficult to determine whether the functions and services delivered by Cyber Security NSW are helping to achieve the level of cyber resilience required to meet the increasing cyber threats faced by the NSW public sector. Cyber Security NSW does not provide assurance of the cyber security maturity self-assessments performed by individual NSW Government agencies The NSW Government has a devolved model for cyber security assurance. Cyber Security NSW administers the whole-of-government policy settings, and agency heads are responsible for ensuring compliance with policy requirements. Cyber Security NSW has a remit to carry out audits of agencies’ self-assessments, but it has not carried out these audits and does not seek its own assurance of the results of these self-assessments. It is not sufficiently addressing previously identified inconsistencies and inaccuracies in how those self-assessments are performed and reported. This form of auditing would be an important assurance that self-assessment and reporting is reliable. This is important given that maturity reporting is the main source of knowledge about the cyber security maturity and resilience of NSW Government agencies to cyber threats. If these self-assessments are unreliable, then it creates the risk that knowledge of the potential resilience of the NSW public sector to cyber security incidents is similarly unreliable. There is no other body in NSW with the mandate to routinely provide this form of assurance. Cyber Security NSW has a remit to assist local government improve cyber resilience, however it cannot mandate action, and does not have a strategic approach guiding its efforts Consistent with the expectations that accompanied its 2020 funding enhancement, Cyber Security NSW has engaged with the local government sector, albeit with mixed results. While these mixed results are partly a consequence of it not being provided a formal mandate in the sector, it has also been impacted by the fact that Cyber Security NSW has not established an engagement plan or strategy to guide its engagement with the local government sector. |
Cyber security is an evolving landscape where the nature and scale of threats are increasing. The Australian Cyber Security Centre (ACSC), the Australian Government lead agency for cyber security, reported in its in 2020–21 annual report that it received over 67,500 cybercrime reports, equating to one report of a cyber attack every eight minutes, with no sector of the economy or type of government agency immune.
Citizens of NSW are increasingly accessing online government services in this context, providing different types of sensitive personal information. This reliance and transition to digital services has increased in recent times, particularly during the COVID-19 pandemic. The NSW Legislative Council’s Portfolio Committee (the Committee) noted in the March 2021 inquiry report into cyber security in NSW that ‘a failure to get cyber security right in New South Wales represents a significant risk to the State’s economy, business and community, and will affect public trust in government’.
The Committee noted that sound cyber security practices across NSW Government agencies, which Cyber Security NSW was established to drive, will enable the State and community to leverage opportunities from the digital world. Indeed, NSW aims to become a world leader in cyber security by protecting, growing and advancing the digital economy.
Establishment of Cyber Security NSW
Prior to the establishment of Cyber Security NSW, the Office of the Government Chief Information Security Officer was responsible for cyber security across the NSW government sector. This role was announced in March 2017 and was tasked with ‘identifying areas of high risk of attack, and working across NSW agencies to share intelligence, facilitate minimum security standards, and ultimately ensure that citizens can trust in the NSW Government’s delivery of digital transformation’. At the time of this appointment, the Minister for Customer Service and Digital Government stated that ‘cyber security and risk has emerged as one of the most high-profile, borderless and rapidly evolving risks facing government’.
The Office of the Government Chief Information Security Officer was renamed on 20 May 2019 to Cyber Security NSW. Governance updates at the time note that this was undertaken to ‘better reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government’. The establishment of Cyber Security NSW was also partly in response to the Audit Office of New South Wales 2018 performance audit report on ‘Detecting and Responding to Cyber Security Incidents’. That audit found that there was no whole-of-government capability to detect and respond effectively to cyber security incidents. Cyber Security NSW is relatively new and is established as a branch within the Department of Customer Service (DCS).
The Office of the Government Chief Information Security Officer, and subsequently Cyber Security NSW, was initially funded through a levy imposed on clusters. Funding arrangements for Cyber Security NSW changed with the announcement in August 2020 of $240 million over three years for the stated purpose of bolstering the NSW Government’s cyber security capability and creating a world leading cyber industry. This funding included direct investment of $60 million from 2020–21 to 2022–23 for Cyber Security NSW to increase its capability and capacity, with the size of the team at the time expected to grow from 25 to 100 staff. In announcing this funding, the Minister for Customer Service and Digital Government stated that ‘…this is the biggest single cyber security investment in national history and will strengthen the government's capacity to detect and respond to the fast-moving cyber threat landscape’.
Cyber Security NSW is divided into two directorates, with one directorate having a focus on operations, and the other on policy and awareness. In turn, there are seven teams within the two directorates. As at March 2022, Cyber Security NSW had 76 ongoing positions filled, five contractors and 22 vacancies.
Cyber Security NSW states that its aim ‘…is to provide the NSW Government with an integrated approach to preventing and responding to cyber security threats. By building a stronger cyber resilience across whole-of-government, Cyber Security NSW is able to support the economic growth prosperity and efficiency of NSW’.
NSW Government Cyber Security Strategy
The NSW Government Cyber Security Strategy was released in September 2018 to ‘…guide and inform the safe management of government’s growing cyber footprint’. The 2018 Cyber Security Strategy also set out an action plan with success criteria against each of the six themes of the NSW cyber security framework. Based on a framework from the US National Institute of Standards and Technology (NIST), these themes are:
- lead
- prepare
- prevent
- detect
- respond
- recover.
The Strategy was revised in 2021 and combined with the Cyber Security Industry Development Strategy. The aim of this current strategy is to ‘…outline the key strategic objectives, guiding principles, and high-level focus areas that the NSW Government will use to align existing and future programs of work’. The strategy includes four NSW Government commitments to:
- increase NSW Government cyber resiliency
- help NSW cyber security businesses grow
- enhance cyber security skills and workforce
- support cyber security research and innovation.
Cyber Security NSW has responsibility as ‘lead agency’ on the first commitment. This role requires it to set commitment objectives and focus areas for the strategy and provide central leadership and coordination of programs and initiatives.
NSW Government Cyber Security Policy
The NSW Government’s Cyber Security Policy was released in February 2019, replacing the former Digital Information Security Policy. All NSW Government agencies must comply with the Cyber Security Policy, and it was recommended for adoption by State Owned Corporations (SOC), local councils, and universities.
The current version of the Cyber Security Policy sets out a range of mandatory requirements for agencies, including:
- annual reporting of their self-assessed levels of maturity against all the mandatory requirements of the Policy and the Australian Cyber Security Centre’s ‘Essential Eight’ requirements
- that agencies must provide a list of their ‘crown jewels’ and high and extreme risks to their cluster Chief Information Security Officer (CISO).
The Policy sets out that Cyber Security NSW:
- may assist agencies with their implementation of the Policy with an FAQ document and guidelines on several cyber security topics
- will summarise the maturity reports provided by agencies and provide the results to the relevant governance bodies including the Cyber Security Steering Group, Secretaries’ Board, relevant committees of Cabinet, Cyber Security Senior Officers’ Group, and the ICT and Digital Leadership Group, as well as use these reports to identify common themes and areas for improvement across NSW Government.
As discussed further in Chapter 3, a mandatory guideline issued by the Secretary of the Department of Customer Service in 2020 established that departments and agencies will be subject to audits by Cyber Security NSW. This is to test compliance with the Cyber Security Policy and report these outcomes to the Secretaries’ Board.
This chapter considers whether the Department of Customer Service has a strategic plan for Cyber Security NSW that includes a consistent hierarchy of priorities, which are then reflected in workplans, and inform decisions about specific functions and activities. It also considers whether:
- there was a sound, evidence-based rationale for why Cyber Security NSW was established
- the specific services and functions Cyber Security NSW provides are adequately targeted to agency and council needs
- there is adequate performance assessment of how the services and functions performed by Cyber Security NSW contribute to uplifting cyber maturity and increasing cyber resilience.
This chapter considers the distribution of responsibility for cyber security in the NSW public sector, as well as whether the responsibilities and roles of Cyber Security NSW are clear and understood by agencies and councils. It also considers whether Cyber Security NSW has sufficient authority and mandate to fulfill its responsibilities for both NSW Government agencies and the local government sector.
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #374 - released 8 February 2023
Design and implementation of the Transport Asset Holding Entity
What the report is about
The Transport Asset Holding Entity (TAHE) is the State's custodian of rail assets. It is a state owned corporation and commenced operating on 1 July 2020.
This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. We audited TAHE, Transport for NSW (TfNSW) and NSW Treasury.
Separate and related audits on TAHE are reported in 'State Finances 2022', 'State Finances 2021' and 'Transport and Infrastructure 2022' reports.
What we found
The design and implementation of TAHE, which spanned seven years, was not effective.
The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to support an accounting treatment to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments.
The benefits of TAHE were claimed in the 2015–16 NSW Budget before the enabling legislation was passed by Parliament in 2017. This committed the agencies to implement a solution that justified the 2015–16 Budget impacts, regardless of any challenges that arose.
Rail safety arrangements were a priority throughout TAHE's design and implementation, and risks were raised and addressed.
Agencies relied heavily on consultants on matters related to the creation of TAHE, but failed to effectively manage these engagements. Agencies failed to ensure that consultancies delivered independent advice as an input to decision-making. A small number of firms were used repeatedly to provide advice on the same topic. The final cost of TAHE-related consultancies was $22.6 million compared to the initial estimated cost of $12.9 million.
What we recommended
We recommended that the audited agencies should:
- improve accountability and transparency for major new fiscal transformation initiatives
- ensure entities do not reflect the financial impact of significant initiatives in the Budget when there is uncertainty, or it creates perverse incentives
- review record keeping practices, systems and policies to ensure compliance with the State Records Act 1998, and the NSW Government Information Classification, Labelling and Handling Guidelines
- review procurement policies to ensure that consultant use complies with all NSW Government policy requirements.
The NSW Government established the Transport Asset Holding Entity (TAHE), a statutory State Owned Corporation (SOC), on 1 July 2020 to replace the former rail infrastructure owner – RailCorp. It is the State's custodian of rail network assets, including rail tracks and other infrastructure, rolling stock, land, train stations and facilities, retail space, and signal and power systems, within metropolitan and regional New South Wales. It is responsible for $2.8 billion of major capital projects in 2022–23.
TAHE was established under Part 2 of the Transport Administration Act 1988 and is governed by a decision-making board. The Treasurer and the Minister for Finance and Employee Relations are the Shareholding Ministers of TAHE, and they annually agree performance expectations articulated in a Statement of Corporate Intent.
Whereas TAHE is the custodian of rail assets, Sydney Trains and NSW Trains operate public rail services. TAHE does not have responsibility for the operation of the heavy rail network or train services, nor does it have network control functions. TAHE, Sydney Trains and NSW Trains are in the Transport and Infrastructure cluster in the public sector (formerly the Transport cluster and renamed in April 2022), which also includes Sydney Metro and Transport for NSW (TfNSW).
TfNSW leads the Transport and Infrastructure cluster. Its role is to set the strategic direction for transport across the State. This involves the shaping of planning, policy, strategy, regulation, resource allocation and other service and non-service delivery functions for all modes of transport.
TAHE's Operating Licence is granted by the Portfolio Minister and authorises the entity to perform the functions required to acquire, develop, finance, divest and hold assets, pursuant to the Transport Administration Act 1988. The Portfolio Minister also issues a Statement of Expectations which outlines the government’s expectation for the business for the next three to five years.
TAHE's original Portfolio Minister was the Minister for Transport who approved, on 30 June 2020, the issuing of an interim 12-month Operating Licence to enable TAHE to commence operating on 1 July 2020. The Portfolio Minister then granted TAHE's current Operating Licence in 2021. After TAHE requested a 12-month extension to its current Operating Licence, its next Operating Licence is due on 1 July 2024. The current Portfolio Minister is the Minister for Infrastructure, Cities and Active Transport.
About this audit
This audit assessed the effectiveness of NSW Government agencies' design and implementation of TAHE. In making this assessment, we considered whether:
- the process of designing and implementing TAHE was cohesive and transparent, and delivered an effective outcome
- agencies' roles and responsibilities were clear in the planning of TAHE
- agencies effectively identified and managed certain risks.
Conclusion
The design and implementation of TAHE was not effective. The process was not cohesive or transparent. It delivered an outcome that is unnecessarily complex in order to meet the NSW Government's short-term Budget objectives, while creating an obligation for future governments to sustain TAHE through continuing investment, and funding of the state owned rail operators. The ineffective process to design TAHE delivered a model that entails significant uncertainty as to whether the anticipated longer-term financial improvements to the Budget position can be achieved or sustained.
NSW Treasury and TfNSW had different objectives for TAHE
Up to June 2013, RailCorp had been the owner and operator of rail services and maintainer of the metropolitan rail network for almost a decade. It had been operating as a not-for-profit Public Non-Financial Corporation (PNFC).
In 2012, NSW Treasury (hereafter Treasury) decided there was a risk that the Australian Bureau of Statistics (ABS) would reclassify RailCorp to the General Government Sector (GGS), meaning depreciation expenses of approximately $870 million would be reflected in the GGS Budget. Treasury wanted to avoid this impact on the GGS Budget, and considered the establishment of a transport asset holding entity as a means to do so. Capital grants to RailCorp were being treated as an expense to the GGS Budget.
TfNSW also wanted an asset holding entity – but one that would be a non-trading ‘shell’ company with no staff that would hold and manage all public transport assets. TfNSW's concept envisaged the entity would have a structure that would enable future public transport reforms and strategic directions while ensuring vertical integration of operations between asset owners and the rail operators to maintain rail safety.
However, Treasury pursued its objective to improve the GGS Budget result, and sought to expand on TfNSW's 'shell' asset holding entity concept. Treasury wanted an entity that could generate a return on investment, as this meant that government investment in transport assets could be treated as equity investments, rather than a Budget expense, and in turn improve the GGS Budget position. As an example of the potential impact of creating this new entity, capital grants of $2.3 billion were paid to RailCorp in 2013–14. If Treasury's objective was met, grants of this significance would then be treated as an equity investment, rather than an expense in the GGS Budget.
In 2017, Treasury's preferred option was progressed through legislation, but both agencies' central objectives for the proposed asset holding entity would continue to prove difficult to reconcile. To achieve Treasury's objective to improve the Budget result, the entity would need to generate a return on investment (this is further discussed below). However, TfNSW expressed concerns that the prioritisation of rail safety, and the effective management of governance, regulation and operations would be more complex in an entity with commercial imperatives.
Asset holding entities are a common approach to the management of transport assets in Australia and internationally, and there are a range of approaches to how they are structured and used. Such structures should be driven by the goal of improved asset management. Ultimately, TfNSW's objectives could have been delivered through a simpler entity structure. However, reconciling TfNSW's objectives with Treasury's imperative to deliver and justify a Budget improvement in the short-term resulted in an overly lengthy process and an unnecessarily complex outcome that places an obligation on future governments to sustain. There is still significant uncertainty as to whether the short-term improvements to the Budget can continue to be realised in the longer-term.
The Budget benefits of TAHE were claimed before the entity was legislated, committing the agencies to deliver, regardless of the complexities that subsequently arose
The 2015–16 GGS Budget treated the government's investment in TAHE (still known at this time as RailCorp) as an equity contribution. This had the immediate impact of improving the Budget result by $1.8 billion per annum. However, the legislation to enable the establishment of TAHE had not yet been passed by Parliament, key elements of the operating model were still under development, and imminent changes in accounting standards had the potential to impact TAHE's financial model. The decision to book the benefits in the Budget early committed the involved agencies to implement a solution that justified the 2015–16 Budget impacts, irrespective of the challenges that arose.
TAHE's financial structure requires circular government investment to work
For the NSW Government to continue to treat its investment in TAHE as an equity contribution, rather than an expense to the Budget, there must be a reasonable expectation that TAHE will generate a sufficient rate of return as required by the Government Finance Statistics (GFS) framework. In doing so, it needs to recover a revaluation loss created by a $20.3 billion reduction in the value of its assets which was incurred in its first full year of operation. This loss occurred as a result of a revaluation of TAHE's assets when RailCorp (a not-for profit entity) became TAHE (a for-profit commercial entity) – and is discussed further in the 'Key findings' below.
TAHE generates a small portion of its income from transactions with the private sector but, as noted in our report 'State Finances 2021', TAHE receives the majority of its revenue (more than 80%) from access and licence fee agreements with Sydney Trains and NSW Trains. Both of these entities are funded by grants (a Budget expense) to TfNSW from the GGS Budget.
Based on Treasury’s correspondence with the ABS in 2015, TAHE was initially expected to pay a return on equity of 7% in 2016–17. The assumption of a 7% return persisted through to 2018, after the legislation enabling the establishment of TAHE was passed by Parliament. However, when the initial access and licence fees were agreed on 1 July 2020, this figure had been revised to an expected rate of return of 1.5% excluding the revaluation loss. This was below the long-term inflation target and did not include the recovery of the revaluation loss – risking the government's ability to treat its investment in TAHE as an equity contribution. Importantly, as TAHE is primarily reliant on fees paid by the state owned rail operators that, in turn, are funded by the GGS Budget (as an expense), the decision to change the returns model from 7% to 1.5% would in its own right have had a positive impact on the GGS Budget. However, the decision to use a 1.5% return would ultimately be problematic as it made it difficult to treat the government's contributions to TAHE as an equity investment, as discussed below.
On 14 December 2021, to avoid a qualified audit opinion, the NSW Government made the decision to increase TAHE's expected rate of return to 2.5%, equal to the Reserve Bank’s long-term inflation target.
In 2021-22, TAHE needed to start charging rail operators higher access and licence fees in order to generate a return of 2.5%, so as to support the government's treatment of its investment in TAHE as an equity contribution in the GGS Budget. This meant the government needed to provide additional grant (expense) funding to the state owned rail operators so they could pay the increased access and licence fees to TAHE. Based on current projections, TAHE is not expected to recover the revaluation loss until 2046.
There remains a risk that TAHE will not be able to generate a sufficient return on the NSW Government's investment without relying on increased funding to state owned rail operators so that they can in turn pay the higher access and licence fees. TAHE's ability to generate returns on government investment from other sources are uncertain and may not be achievable or sustainable. Current modelling highlights that TAHE remains largely reliant, through to 2046, on increasing fees (which are assumed to increase at 2.5% per annum from 2031 onwards when the current 10 year contracts with rail operators expire) paid by the state owned rail operators that remain principally reliant on GGS Budget grants.
The process of designing and implementing TAHE was not transparent to independent scrutiny
Our report 'State Finances 2021' commented that Treasury did not always provide this Office with information relating to TAHE on a timely basis. Similarly, during this performance audit, there were also multiple instances where auditees were unable to provide documentation regarding key activities in the process to deliver TAHE. Agencies also applied higher sensitivity classifications to large tranches of documents than was justified or required by policy. Of particular concern is the incorrect classification of documents as Cabinet sensitive information. The incorrect or over-classification of documentation as Cabinet sensitive delayed this Office's ability to provide scrutiny or independent assurance.
There was a lack of clarity around the roles and responsibilities of governance structures set up to oversee the design and implementation of TAHE
From 2014, multiple workstreams and advisory committees were established to progress the design and implementation of TAHE. For some of these committees and workstreams, there is limited information on what they were tasked to do and what they achieved. Most had ceased meeting by 2018, before significant work needed to deliver TAHE was completed.
The lack of clarity around the roles and responsibilities of these governance structures reduced opportunities for TfNSW and Treasury to reconcile their differing objectives for TAHE, and resolve key questions earlier in the process.
There was a heavy reliance on consulting firms throughout the process to establish TAHE, and the management of consultant engagements failed to ensure that agencies received independent advice to support objective decision-making
In 2020, Treasury and TfNSW failed to prevent, identify, or adequately manage a conflict of interest when they engaged the same 'Big 4' consulting firm to work on separate TAHE-related projects. Both agencies used the firm's work to further their respective views with regard to the financial implications of TAHE's operating model. At this time those views were still unreconciled.
Treasury engaged the firm to provide a fiscal risk management strategy and advice on the impact of changes to accounting standards. TfNSW engaged the same firm to develop operating and financial models for TAHE, which raised concerns regarding the viability of TAHE. Disputes arose around the findings of these reports. Treasury disagreed with some of the outcomes of the work commissioned by TfNSW, relating to accounting treatment and fiscal advice.
The management of this conflict (real or perceived) was left to the 'Big 4' consulting firm when it was more appropriate for it to be managed by Treasury and TfNSW. If these agencies had communicated more effectively, used available governance structures consistently, and shared information openly about their use of the firm and the nature of their respective engagements, these disputes might have been avoided. This issue, coupled with deficiencies in procurement by both agencies, reflected and further perpetuated the lack of cohesion in the design and implementation of TAHE.
More broadly, over the period 2014 – 2021, 16 separate consulting firms were employed to work on 36 contracts, valued at over $22.56 million, relating to TAHE ranging from accounting and legal advice, project management, and the provision of administrative support and secretariat services.
Consultants are legitimately used by agencies to provide advice on how to achieve the outcomes determined by government, including advising agencies on the risks and challenges in achieving those outcomes. Similarly, consultants can provide expert knowledge in the service of achieving those outcomes and managing the risks. However, the heavy reliance on consulting firms during the design and implementation of TAHE heightened the risk that agencies were not receiving value for money, were outsourcing tasks that should be performed by the public service, and did not mitigate the risk that the advice received was not objective and impartial. The risk that the role of consultants could have been blurred between providing independent advice to government on options and facilitating a pre-determined outcome was not effectively treated or mitigated. This risk was amplified because a small number of firms were used repeatedly to provide advice on one topic. The effective procurement and management of consultants is an obligation of government agencies.
Appendix two – Classification of government entities
Appendix three – About the audit
Appendix four – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #372 - released 24 January 2023
Planning and Environment 2022
What the report is about
Result of the Planning and Environment cluster agencies' financial statements audits for the year ended 30 June 2022.
What we found
Unmodified audit opinions were issued for all completed 30 June 2022 financial statements audits of cluster agencies. Seven audits are ongoing.
Disclaimed audit opinions were issued for the 2010–11 to 2015–16 financial statements of the Water Administration Ministerial Corporation (WAMC), as management was unable to certify that the financial statements exhibit a true and fair view of WAMC's financial position and financial performance.
Qualified audit opinions were issued for WAMC's 2016–17 and 2017–18 financial statements due to insufficient evidence to support the completeness and valuation of water meters infrastructure assets, the impairment of water meters, and the completeness of buildings at Nimmie Caira.
Unqualified audit opinions were issued for WAMC's 2018–19 and 2019–20 financial statements.
The Department of Planning and Environment (the department) assessed 45 Category 2 Statutory Land Managers (SLM) did not meet the reporting exemption criteria and therefore were required to prepare 2021–22 financial statements. None of these 45 Category 2 SLMs prepared and submitted their 30 June 2022 financial statements by the statutory reporting deadline.
All 119 Commons Trusts have never submitted their financial statements for audit as required by the Government Sector Finance Act 2018 (GSF Act).
NSW Treasury has confirmed that the Catholic Metropolitan Cemeteries Trust (CMCT) is a controlled entity of the State. To date, CMCT has not met its obligations to prepare financial statements under the GSF Act and it has not submitted financial statements to the Auditor-General for audit.
What the key issues were
Since 2017, the Audit Office has recommended the department address the different practices across the local government sector in accounting for rural firefighting equipment. Despite repeated recommendations, the department did little to resolve this issue. At the time of writing, 32 of 118 completed council audits received qualified audit opinions on their 30 June 2022 financial statements.
There continues to be significant deficiencies in Crown land records. The department uses the Crown Land Information Database (CLID) to record key information relating to Crown land in New South Wales that is managed and controlled by the department and land managers. The CLID system was not designed to facilitate financial reporting, and the department is required to conduct extensive adjustments and reconciliations to produce accurate information for the financial statements.
The department implemented the CrownTracker system as a replacement for CLID. The project was finalised in June 2022, but it has not achieved the intended outcomes.
Nine high-risk issues were identified across the cluster related to the findings outlined above and weaknesses in IT general controls, financial reporting, governance processes and internal controls.
Recommendations were made to address these deficiencies.
This report provides Parliament and other users of the Planning and Environment cluster’s financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the Planning and Environment cluster (the cluster) for 2022.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the Planning and Environment cluster.
Section highlights
|
Appendix one – Misstatements in financial statements submitted for audit
Appendix two – Early close procedures
Appendix three – Timeliness of financial reporting
Appendix four – Financial data
Appendix five – Councils received qualified audit opinions
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Development applications: assessment and determination stages
What the report is about
Local councils in New South Wales are responsible for assessing local and regional development applications.
Most development applications are assessed and determined by council staff under delegated authority. However, some development applications must be referred to independent local planning panels or Sydney and regional planning panels for determination.
Councils provide support to local planning panels. The Department of Planning and Environment provides support to Sydney and regional planning panels.
This audit assessed whether Byron Shire Council, Northern Beaches Council and The Hills Shire Council had effectively assessed and determined development applications in compliance with legislative and other requirements.
It also assessed whether The Hills Shire Council, Northern Beaches Council and the Department of Planning and Environment had provided effective support to relevant independent planning panels.
What we found
All councils had established clear roles, responsibilities and delegations for assessment and determination of development applications and had also established processes to ensure quality of assessment reports.
Northern Beaches Council and The Hills Shire Council have established comprehensive approaches to considering and managing risks related to development assessment.
Northern Beaches Council's approach to publishing its assessment reports promotes transparency.
Across a sample of development applications assessed and determined between 2020–22:
- Northern Beaches Council and The Hills Shire Council had assessed and determined applications in compliance with legislative and other requirements. However, The Hills Shire Council could do more to transparently document any conflicts of interest within assessment reports.
- Byron Shire Council had assessed most applications in compliance with legislative and other requirements. However, we found opportunities for the Council to:
- ensure determinations were made in line with delegations
- strengthen its approach to transparent management of conflicts of interest and quality review of assessments.
The Hills Shire Council and Northern Beaches Council had effectively supported their respective local planning panels.
The Department of Planning and Environment had processes that meet requirements for supporting regional planning panels but could do more to promote consistency in approach, share information across panels and measure the effectiveness of its support.
What we recommended
We made recommendations to Byron Shire Council, The Hills Shire Council and the Department of Planning and Environment to address the gaps identified and improve the transparency of processes.
Local councils in New South Wales are responsible for assessing local and regional development applications under the Environmental Planning and Assessment Act 1979 (EP&A Act).
In assessing development applications, councils consider:
- whether the proposed development application is compliant with legislation and environmental planning instruments
- whether the proposed development meets local planning controls and objectives
- any environmental, social and economic impacts
- any submissions from impacted properties, neighbours and interested parties
- the public interest.
Once assessed, a development application will be determined by council staff under delegated authority, the elected council, or an independent planning panel.1
The involvement of a particular independent planning panel is established under legislative and policy instruments, and depends on the type and value of the proposed development. Most development applications are assessed and determined by council staff under delegated authority.
In determining development applications, independent planning panels must manage any potential, real or perceived conflicts of interest of panel members for a given development application, meet and vote on development applications, and publish their decisions and reasons.
Under the EP&A Act, and as required by statutory instruments and procedures, councils and the Department of Planning and Environment (DPE) must provide secretariat and other support functions to independent planning panels.
Previous reviews and inquiries have identified several significant risks that are present within the processes involved in the assessment and determination of development applications. These risks include possible non-compliance with complex legal and policy requirements, potential improper influence from developers and other stakeholders, and a perceived lack of transparency within the planning system and planning outcomes.
There are several planning pathways for development in New South Wales. This audit focuses on local and regional development that requires assessment and determination by a local council and/or an independent local planning panel or Sydney or regional planning panel in three Local Government Areas (LGAs): Byron Shire Council, Northern Beaches Council, The Hills Shire Council.
Audited councils were selected from a range of criteria, including:
- the number, value and types of development applications determined in 2018–19
- average determination timeframes
- appeals against determinations and Land and Environment Court outcomes
- LGA demographics.
The audit also avoided councils that had previously been subject to a performance audit.
The objective of this audit was to assess whether:
- selected councils have effectively assessed and determined development applications in compliance with relevant legislation, regulations and government guidance
- selected councils and DPE effectively support independent planning panels to determine development applications in compliance with relevant legislation, regulations and government guidance.
Conclusion – Byron Shire Council
Byron Shire Council has established clear roles, responsibilities and delegations for assessment and determination of development applications. However, the effectiveness of the Council's approach is limited by gaps in governance, risk management and internal controls.
Byron Shire Council has established clear roles, responsibilities and delegations for assessment and determination of development applications. However, the Council does not have a consolidated policy and procedure for development assessment, has not adequately followed up on the outcomes of internal reviews that identified opportunities to strengthen its assessment and determination procedures and approach, and has not demonstrated that it has managed relevant risks effectively.
The Council has not ensured that delegations have been consistently followed in the assessment of development applications.
Byron Shire Council's approach to managing conflicts of interest in development assessments does not provide transparency over potential conflicts of interest.
Byron Shire Council manages the risk of conflicts of interest for development assessment under its Code of Conduct. The Council has also implemented a separate policy that details additional requirements for managing conflicts of interest relevant to the development assessment process, but has not regularly updated this policy and requirements between it and the Code of Conduct have not been aligned. This creates a risk that planning staff may be following inconsistent or outdated advice in managing conflicts of interest.
Across the period of review, the Council did not require staff to provide a disclosure of interest for individual development applications to be contained within assessment reports. Including these disclosures would increase transparency and ensure that staff are sufficiently considering any conflicts of interest relevant to each separate assessment process.
Byron Shire Council has processes that promote compliance with legislation, regulation and government policy, but can improve how it undertakes some aspects of these that would ensure transparency, quality and consistency.
Our review of a sample of completed development applications from the Council indicated that most assessments were completed in compliance with relevant legislation, regulations and government guidance, but that there were some opportunities to improve elements of the assessment process, including: transparency of any conflicts of interest involved in the assessment process, ensuring compliance with delegated authority limits, and consideration of modification application provisions.
The Council has established templates to guide planners through relevant assessment considerations required by legislation, regulations and other guidance. However, it could do more to strengthen its approach to peer or manager review, monitoring legislative changes, and how it monitors the completion of relevant training by planning staff.
Conclusion – Northern Beaches Council
Northern Beaches Council has established processes to support compliant and effective assessment and determination of development applications.
The Council has a clear governance and risk management framework for development assessment that sets out roles, responsibilities and delegations.
Northern Beaches Council has established clear roles, responsibilities and delegations for development application assessment and determination. The Council has identified development assessment related risks, and has put in place controls and mitigating actions to manage the risks to within risk tolerances.
Northern Beaches Council's approach to managing conflicts of interest promotes transparency.
Northern Beaches Council manages the risk of conflicts of interest for development assessment under its Code of Conduct. The Council has implemented an additional framework for planning staff to respond to the risk of conflicts of interest in development assessment processes. This framework requires its staff to disclose any conflicts of interest as a formal step in assessing development applications and includes declarations of any interests within assessment reports or planning panel minutes.
Our review of a sample of completed development applications indicated that the assessment reports had been compliant with the Council's approach to transparently documenting conflicts of interest.
Northern Beaches Council has established processes to deliver consistent, quality assessment of development applications.
Northern Beaches Council staff use an electronic development assessment tool that provides guidance, links to legislative and policy instruments and other applications that support assessment and drive consistency in approach. The Council applies a peer review process in which a manager or team member in a more senior position reviews an assessment report prior to determination to ensure that expected standards of quality and consistency have been met.
Our review of a sample of completed development applications indicated that assessments were undertaken in compliance with relevant legislation, regulations and government guidance.
Northern Beaches Council transparently documents assessment reports, supporting information and determination outcomes.
Northern Beaches Council has implemented a transparent approach to how it assesses and determines development applications. The Council publishes assessment reports, supporting technical reports, plans and submissions for all development applications. Notices of determination and final plans are also published alongside the assessment reports, allowing for greater transparency to the public.
Northern Beaches Council has established processes to effectively support the Northern Beaches Local Planning Panel.
Northern Beaches Council has established processes to support the Northern Beaches Local Planning Panel as required under legislative and policy instruments. The Council has processes to ensure that development applications required to be referred to a planning panel are identified and monitored, supports identification and documentation of any conflicts of interest, and transparently documents decisions of the panel.
Our review of a sample of meeting records held across the audit period of review indicated that these requirements were met and were transparently documented.
Conclusion – The Hills Shire Council
The Hills Shire Council has established processes to support compliant and effective assessment and determination of development applications.
The Council has established a comprehensive governance and risk management framework for development assessment that sets out clear roles, responsibilities and delegations.
The Hills Shire Council has established a comprehensive framework for managing risks related to development assessment. Such risks are clearly identified and associated controls are in place to reduce or mitigate the risks. The Council has undertaken regular internal audits of development assessments, including reviewing completed applications to ensure compliance with relevant legislative and policy requirements.
The Council has established clear roles, responsibilities and delegations, and its staff assessing and determining development applications are supported by a standard set of policies and procedures for undertaking assessment and determination of applications.
The Hills Shire Council is managing conflicts of interest in line with Code of Conduct requirements but could more transparently document these.
The Hills Shire Council manages conflicts of interest for those involved in development application processes through provisions under its Code of Conduct. Under this Code of Conduct, staff must declare any conflicts of interest to their manager. However, the Council does not require staff to disclose any conflicts of interest in development application assessment reports which limits transparency to reviewing managers or any other determination bodies.
The Hills Shire Council has established processes to deliver consistent, quality assessment of development applications.
The Hills Shire Council has established templates to guide planners through relevant development assessment and determination considerations required by legislation, regulations and other guidance. The Council requires a peer review to occur prior to any determination which ensures a check on the compliance and quality of the assessment report prepared.
Our review of a sample of completed development applications from the Council indicated that assessments were performed in compliance with relevant legislation, regulations and government guidance.
The Hills Shire Council has established processes to effectively support The Hills Shire Local Planning Panel.
The Hills Shire Council has met requirements to provide secretariat and other support to The Hills Shire Local Planning Panel as required under legislative and policy instruments. It has processes to ensure that development applications required to be referred to a planning panel are identified and monitored, supports identification and documentation of any conflicts of interest, and transparently documents decisions of the panel.
Our review of a sample of meeting records held across the audit period of review indicated that these requirements were met and were transparently documented.
Conclusion – Department of Planning and Environment
The Department of Planning and Environment (DPE) has established processes that meet its statutory and policy requirements to support Sydney and regional planning panels.
DPE has established processes to provide secretariat and other support to planning panels. It has met requirements to provide administrative support to the panels through its planning panels secretariat including undertaking administrative functions, supporting recruitment of panel members, and addressing complaints about the panel processes.
DPE has not ensured collection of annual pecuniary interest declarations for all panel members for the three Sydney and regional planning panels in scope for this audit. DPE could not provide annual pecuniary interest declarations for part of the audit period for three of the 47 members of these panels, as is required by DPE's Code of Conduct for Regional Planning Panels.
DPE does not formally measure its effectiveness in providing support to panels, but panel chairs consulted as part of this audit advised that they had no concerns with the level of secretariat support provided by DPE.
DPE could do more to facilitate information sharing between panels and could formalise how it provides comparative information to panels to improve consistency and standardisation in approach and share good practice. DPE has identified these gaps in reviews of its services and functions and has a plan in place to address them.
DPE has effectively documented planning panel decisions and made them available to all stakeholders. It also effectively documented interests declared as part of consideration of development applications for in-scope panels.
This audit continues a series of audits examining the development assessment process in NSW local councils and is focused on the assessment and determination stages.
The Audit Office of New South Wales previously considered local government development assessments in our 2019 performance audit: 'Development assessment: pre-lodgement and lodgement in Camden Council and Randwick City Council'.
Appendix one – Response from agencies
Appendix two – Council profile: Byron Shire Council
Appendix three – Council profile: Northern Beaches Council
Appendix four – Council profile: The Hills Shire Council
Appendix five – About the audit
Appendix six – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #370 - released 12 December 2022
Audit Insights 2018-2022
What the report is about
In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.
This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.
The report is framed by recognition that the past four years have seen significant challenges and emergency events.
The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.
The report is a resource to support public sector agencies and local government to improve future programs and activities.
What we found
Our analysis of findings and recommendations is structured around six key themes:
- Integrity and transparency
- Performance and monitoring
- Governance and oversight
- Cyber security and data
- System planning for disruption
- Resource management.
The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.
In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.
The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.
A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.
Fast facts
- 72 audits included in the Audit Insights 2018–2022 analysis
- 4 years of audits tabled by the Auditor-General for New South Wales
- 6 key themes for Audit Insights 2018–2022.
I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.
The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.
A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.
However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.
While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.
Margaret Crawford
Auditor-General for New South Wales
| Integrity and transparency | Performance and monitoring | Governance and oversight | Cyber security and data | System planning | Resource management |
| Insufficient documentation of decisions reduces the ability to identify, or rule out, misconduct or corruption. | Failure to apply lessons learned risks mistakes being repeated and undermines future decisions on the use of public funds. | The control environment should be risk-based and keep pace with changes in the quantum and diversity of agency work. | Building effective cyber resilience requires leadership and committed executive management, along with dedicated resourcing to build improvements in cyber security and culture. | Priorities to meet forecast demand should incorporate regular assessment of need and any emerging risks or trends. Absence of an overarching strategy to guide decision-making results in project-by-project decisions lacking coordination. | Governments must weigh up the cost of reliance on consultants at the expense of internal capability, and actively manage contracts and conflicts of interest. |
| Government entities should report to the public at both system and project level for transparency and accountability. | Government activities benefit from a clear statement of objectives and associated performance measures to support systematic monitoring and reporting on outcomes and impact. | Management of risk should include mechanisms to escalate risks, and action plans to mitigate risks with effective controls. | In implementing strategies to mitigate cyber risk, agencies must set target cyber maturity levels, and document their acceptance of cyber risks consistent with their risk appetite. | Service planning should establish future service offerings and service levels relative to current capacity, address risks to avoid or mitigate disruption of business and service delivery, and coordinate across other relevant plans and stakeholders. | Negotiations on outsourced services and major transactions must maintain focus on integrity and seeking value for public funds. |
| Entities must provide balanced advice to decision-makers on the benefits and risks of investments. | Benefits realisation should identify responsibility for benefits management, set baselines and targets for benefits, review during delivery, and evaluate costs and benefits post-delivery. | Active review of policies and procedures in line with current business activities supports more effective risk management. | Governments hold repositories of valuable data and data capabilities that should be leveraged and shared across government and non-government entities to improve strategic planning and forecasting. | Formal structures and systems to facilitate coordination between agencies is critical to more efficient allocation of resources and to facilitate a timely response to unexpected events. | Transformation programs can be improved by resourcing a program management office. |
| Clear guidelines and transparency of decisions are critical in distributing grant funding. | Quality assurance should underpin key inputs that support performance monitoring and accounting judgements. | Governance arrangements can enable input into key decisions from both government and non-government partners, and those with direct experience of complex issues. | Workforce planning should consider service continuity and ensure that specialist and targeted roles can be resourced and allocated to meet community need. | ||
| Governments must ensure timely and complete provision of information to support governance, integrity and audit processes. | |||||
| Read more | Read more | Read more | Read more | Read more | Read more |
This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.
- Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
- Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
- Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.
This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.
The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.
This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.
Appendix one – Included reports, 2018–2022
Appendix two – About this report
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
NSW planning portal
What the report is about
The ePlanning program is an initiative of the Department of Planning and Environment (the department) to deliver a digital planning service for New South Wales through the NSW planning portal (the portal).
Using the portal, relevant planning activities can be carried out online, including all stages of development applications.
The portal has been developed under three separate business cases in 2013, 2014 and 2020.
In late 2019, the government mandated the use of the portal for all development applications. This decision took effect across 2020–21.
This audit assessed the effectiveness of the department's implementation, governance and stakeholder engagement in delivering the NSW planning portal.
What we found
Since implementation commenced in 2013, the NSW planning portal has progressively achieved its objectives to provide citizens with access to consolidated planning information, and allow them to prepare and submit development applications online.
Shortcomings in the department's initial planning and management of the program led to a significant time overrun. It has taken the department longer and cost significantly more to implement the portal than first anticipated.
In recent years the department has improved the planning, implementation and governance of the ePlanning program, resulting in improved delivery of the portal’s core functions.
The department now has a clear view of the scope necessary to finalise the program, but has not yet published the services it plans to implement in 2022 and 2023.
Mandating the use of the portal for all development applications changed the program's strategic risk environment and required the department to work more closely with a cohort of stakeholders, many of whom did not want to adopt the portal.
Despite this change, the department kept its overall delivery approach the same.
While implementation of the portal has delivered financial benefits, the department has overestimated their value.
The Department has only reported benefits since 2019 and has not independently assured the calculation of benefits.
What we recommended
By December 2022, the department should:
- publish a roadmap of the services it expects to release on the portal across 2022 and 2023
- update its ePlanning program assumptions, benefits targets and change management approach to reflect the government's decision to mandate the use of the portal for all stages of a development application
- independently assure and report publicly the correct calculation of ePlanning program benefits.
Fast facts
- 10 years taken to implement the portal when completed
- 3 years longer than initially planned to implement the portal
- $146m capital expenditure on the portal when completed
- $38.5m more spent than planned in the business cases.
The ePlanning program is an initiative of the Department of Planning and Environment (the department) to deliver a digital planning service for New South Wales through the NSW planning portal (the portal, or the planning portal). The department defines the portal as an online environment where community, industry and government can work together to better understand and meet their obligations under the Environmental Planning and Assessment Act 1979 (NSW). Using the portal, relevant planning activities can be carried out online throughout New South Wales. This includes, but is not limited to:
- applying for and gaining planning approval
- applying for and gaining approval for building works, sub-dividing land and similar activities
- issuing occupancy and other certificates.
The portal has been developed under three separate business cases. The first business case in 2013 led to the creation of a central portal, which made planning information available to view by planning applicants and allowed some planning applications to be lodged and tracked online.
Under a second business case prepared in 2014, the department set out to improve and widen the functions available via the portal. The department prepared a third business case in 2020 to fund further improvements to the portal over the period July 2020 to June 2023. The third business case also extended the portal's functions to support the building and occupation stages of the planning cycle.
In late 2019, the government mandated the use of the portal for all stages of development applications. This decision took effect across 2020–21 and applied to all councils as well as certifiers and others involved in the planning process.
The objective of this performance audit was to assess the effectiveness of the department's implementation, governance and stakeholder engagement in delivering the NSW planning portal. We investigated whether:
- delivery of the NSW planning portal was planned effectively
- sound governance arrangements are in place to ensure effective implementation of the program
- users of the NSW planning portal are supported effectively to adopt and use the system.
Conclusion
Since implementation commenced in 2013, the NSW planning portal has progressively achieved its objectives to provide citizens with access to consolidated planning information and allow them to prepare and submit development applications online. Implementation was initially hindered by deficiencies in planning and it has taken the department significantly longer and cost significantly more to implement the portal than first anticipated. While the portal's implementation has delivered financial benefits, the department has overestimated their value. As a result, the department cannot yet demonstrate that the portal has achieved overall financial benefits, relative to its costs.
In the first two years of the ePlanning program, the department delivered a portal that allowed planners, developers, certifiers and the public to view important planning information. However, the department found the delivery of a second, transactional version of the portal in 2017 to be much more challenging. This version was intended to offer more integrated information and allow development applications to be submitted and managed online. The department did not rollout this version after a pilot showed significant weaknesses with the portal's performance. A subsequent review found that this was partly because the department did not have a clear view of the portal’s role or the best way to implement it. In recent years the department has improved the planning, implementation and governance of the ePlanning program resulting in improved delivery of the portal’s core functions.
By the time the program reaches its scheduled completion in 2023, it will have taken the department ten years and around $146 million in capital expenditure to implement the portal. This will be significantly longer and more expensive than the department originally expected. This overrun is partly due to an increased scope of services delivered through the portal and an initial under-appreciation of what is involved in creating a standard, central resource such as the portal. The department also experienced some significant implementation difficulties – which saw the transactional portal discontinued after it was found to be not fit for purpose. Following this, the department re-set the program in 2017–18 and re-planned much of the portal's subsequent development.
In November 2019, the New South Wales Government decided to mandate the use of the portal for all stages of development applications by the end of 2020–21. The department had previously planned that the portal would be progressively adopted by all councils and other stakeholders over the five years to 2025. The decision to mandate the portal's use for all development applications brought forward many of the portal's benefits as well as the challenges of its implementation. The department did not change its overall delivery approach in response to the changed risks associated with the government's decision to mandate use of the portal.
The current version of the portal has given the department more timely and comprehensive planning information and has helped New South Wales to provide continuous planning services during COVID-19 lockdowns, which interrupted many other public functions. The portal has also delivered financial benefits, however the department has not independently assured benefits calculations carried out by its consultant, and the reported benefits are overstated. In addition, some stakeholders report that the portal is a net cost to their organisation. This has included some certifiers and some councils which had implemented or had started to implement their own ePlanning reforms when use of the portal was mandated in 2019. The department now needs to address the issues faced by these stakeholders while continuing to deliver the remaining improvements and enhancements to the portal. Over the remaining year of the program, it will be critical that the department focuses on the agreed program scope and carefully evaluates any opportunities to further develop the portal to support future planning reforms.
This part of the report sets out how:
- the ePlanning program has been planned and delivered
- users of the portal have been supported
- the program has been governed.
This part of the report sets out the ePlanning program's:
- expected and reported financial benefits
- calculation of financial benefits.
In 2019, the department increased its expectations for net financial benefits
The department's three ePlanning business cases each forecast substantial financial benefits from the implementation of the planning portal. The department expected that most financial benefits would flow to planning applicants due to a quicker and more consistent planning process. It also expected that government agencies and councils would benefit from the portal.
| Business case 1 ($ million) |
Business case 2 ($ million) |
Business case 3 ($ million) |
Total ($ million) |
|
|---|---|---|---|---|
| Benefits | 90.0 | 44.3 | 270.9 | 405.2 |
| Costs | 43.3 | 29.4 | 89.8 | 162.5 |
| Net benefits | 46.7 | 15.0 | 181.1 | 242.7 |
Source: Audit Office analysis of data provided by the Department of Planning and Environment.
In 2019 the department commissioned a review to explore opportunities to better identify, monitor and realise the benefits of the ePlanning program. Using this work, the department updated the expected benefits for business cases 1 and 2 to take account of:
- errors and miscalculations in the original benefits calculations
- slower delivery of the portal and changes to the take-up of portal services by councils
- changes to the services supported by the portal.
| Original business case 1 and 2 (combined) ($ million) |
New business case 1 and 2 (combined) ($ million) |
|
|---|---|---|
| Benefits | 134.3 | 210.6 |
| Costs | 72.7 | 96.3 |
| Net benefits | 61.7 | 114.3 |
Source: Audit Office analysis of data provided by the Department of Planning and Environment.
Reported benefits significantly exceed the current targets
In September 2021, the department reported that the program had achieved $334 million of benefits over the three financial years up to June 2021 plus the first two months of 2021–22. These reported benefits were significantly higher than expected.
| 2018–19 ($ million) |
2019–20 ($ million) |
2020–21 ($ million) |
July to August 2021 ($ million) |
Total ($ million) |
|
|---|---|---|---|---|---|
| Benefits | 5.2 | 68.8 | 214.7 | 45.1 | 333.8 |
| Target | 2.5 | 14.4 | 56.7 | 19.2 | 92.8 |
| Amount and per cent above target | 2.7 108% |
54.4 378% |
158 279% |
25.9 135% |
241 260% |
The department attributes the higher-than-expected financial benefits to the following:
- benefit targets have not been updated to reflect the impact of the 2019 decision to mandate the use of the portal for all development applications. This decision brought forward the expected benefits as well as potential costs of the program. However, the department did not update its third business case which was draft at the time. The business case was subsequently approved in July 2020
- one-off cost savings for agencies not having to develop their own systems
- public exhibitions of planning proposals continuing to be available online during 2020 when some newspapers stopping printing due to COVID-19.
The calculation of benefits is overstated
The department reported $334 million of benefits in September 2021 due to the ePlanning program. This calculation is overstated because:
- a proportion of reported benefits is likely to be due to other planning reforms
- the calculation of the largest single benefit is incorrect
- the reported benefits may not fully account for dis-benefits reported by some stakeholders.
The program’s benefits are calculated primarily from changes in planning performance data, such as the time it takes to determine a planning development application. The department currently attributes the benefits from shorter planning cycles entirely to the effect of the ePlanning program. However, planning cycles are impacted by many other factors such as the complexity of planning regulations and the availability of planning professionals. Planning cycles may also be impacted by other departmental initiatives which are designed to improve the time that it takes for a planning application to be evaluated. The Introduction describes some of these initiatives.
The largest contribution to the department’s September 2021 benefit report was an estimated saving of $151 million for developers due to lower costs associated with holding their investment for a shorter time. However, the department’s calculation of this benefit assumes a high baseline for the time to determine a development application. It also assumes that all development applications except for additions or alterations to existing properties will incur financing costs. However, a small but material number of these applications will be self-financed. The calculation also includes several data errors in spreadsheets.
The calculation of some benefits relies upon an extrapolation of the benefits experienced by a small number of early-adopter councils, including lower printing and scanning costs, fewer forms and quicker processing times. However, some councils report that their costs have increased following the introduction of the portal, primarily because aspects of the portal duplicate work that they carry out in their own systems. The portal has also required some councils to re-engineer aspects of their own systems, such as the integration of their planning systems with other council systems such as finance or property and rating systems. It has also required councils to create new ways of integrating council information systems with the planning portal.
The department has published information to help councils and certifiers to automatically integrate their systems with the planning portal. This approach uses application programming interfaces (or APIs) which are an industry-standard way for systems to share information. In April and May 2021, the government granted $4.8 million to 96 regional councils to assist with the cost of developing, implementing and maintaining APIs. The maximum amount of funding for each council was $50,000. The department is closely monitoring the implementation of APIs by councils and other portal users. Once they are fully implemented the department expects APIs to reduce costs incurred by stakeholders.
The department has not yet measured stakeholder costs. It was beyond the scope of this audit to validate these costs.
The department has not independently assured the calculation of reported benefits
In 2020 the department appointed an external provider to calculate the benefits achieved by the ePlanning program. The department advised that it chose to outsource the calculation of benefits because the provider had the required expertise and because it wanted an independent calculation of the benefits. The process involves:
- extraction and verification of planning performance data by the department
- population of data input sheets by the department
- calculation of benefits by the external provider using the data input
- confirmation by the department that the calculation includes all expected benefit sources.
The department does not have access to the benefits calculation model which is owned and operated by the external provider. The department trusts that the provider correctly calculates the benefits and does not verify the reported benefit numbers. However, as the benefits model involves many linked spreadsheets and approximately 300 individual data points, there is a risk that the calculation model contains errors beyond those discussed in this audit.
The reported benefits have only been calculated since 2019
The department originally intended to track benefits from October 2014. However, it only started to track benefits in 2019 when it appointed an external provider to calculate the benefits achieved by the portal. Any benefits or dis-benefits between the introduction of the portal and 2019 are unknown and not included in the department’s calculation of benefits.
Appendix one – Response from agency
Appendix two – About the audit
Appendix three – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #366 - released 21 June 2022
COVID-19: response, recovery and impact
What the report is about
This report draws together the financial impact of COVID-19 on the agencies integral to responses across the state government sector of New South Wales.
What we found
Since the COVID-19 pandemic hit NSW in January 2020, and until 30 June 2021, $7.5 billion was spent by state government agencies for health and economic stimulus. The response was largely funded by borrowings.
The key areas of spending since the start of COVID-19 in NSW to 30 June 2021 were:
- direct health response measures – $2.2 billion
- personal protective equipment – $1.4 billion
- small business grants – $795 million
- quarantine costs – $613 million
- increases in employee expenses and cleaning costs across most agencies
- vaccine distribution, including vaccination hubs – $71 million.
The COVID-19 pandemic significantly impacted the financial performance and position of state government agencies.
Decreases in revenue from providing goods and services were offset by increases in appropriations, grants and contributions, for health and economic stimulus funding in response to the pandemic.
Most agencies had expense growth, due to additional operating requirements to manage and respond to the pandemic along with implementing new or expanded stimulus programs and initiatives.
Response measures for COVID-19 have meant the NSW Government is unlikely to meet targets in the Fiscal Responsibility Act 2012 being:
- annual expense growth kept below long-term average revenue growth
- elimination of State’s unfunded superannuation liability by 2030.
Fast facts
- First COVID-19 case in NSW on 25 January 2020
- COVID-19 vaccinations commenced on 21 February 2021
- By 31 December 2021, 25.2 million PCR tests had been performed in NSW and 13.6 million vaccines administered, with 93.6% of the 16 and over population receiving two doses
- During 2020–21, NSW Health employed an extra 4,893 full-time staff and incurred $28 million in overtime mainly in response to COVID-19
- During 2020–21, $1.2 billion was spent on direct health COVID-19 response measures and $532 million was spent on quarantine for incoming international travellers
Section highlights
|
Section highlights
|
Transport 2021
What the report is about
The results of the Transport cluster agencies’ financial statement audits for the year ended 30 June 2021.
What we found
Unmodified financial statement audit opinions were issued for all Transport cluster agencies. Resolution of issues delayed signing the Transport Asset Holding Entity of NSW (TAHE) until 24 December 2021. Matters relating to TAHE are also reported in the report on State Finances 2021.
Emphasis of Matter - TAHE
An Emphasis of Matter paragraph was included in TAHE's audit opinion to draw attention to uncertainty associated with:
- future access and licence fees that are subject to re-signed agreements
- an additional $4.1 billion of funding that is outside the forward estimates period
- a significant portion of the fair value of TAHE’s non-financial assets is reflected in the terminal value, which is outside the ten-year contract period to 30 June 2031, and the risk that TAHE will not be able to negotiate contract terms to support current projections.
TAHE's transition from RailCorp also changed its valuation of assets to an income approach, resulting in a $20.3 billion decrease to the fair value. The fair value decrease was because the cash flows were not sufficient to support the previous recorded value.
TAHE corrected a misstatement of $1.2 billion relating to the valuation of its assets. This followed significant deliberation on key judgements and assumptions, with TAHE adopting risk assumptions in its valuation that were not in line with comparable benchmarks.
Emphasis of Matter - State Transit Authority of New South Wales
An Emphasis of Matter paragraph was included in the State Transit Authority of NSW's (the Authority) audit opinion to draw attention to the financial statements not prepared on a going concern basis. This was because the NSW Government put the Authority's bus contracts out to competitive tender and accordingly, management assessed the Authority's principal activities are not expected to operate for a full 12 months after 30 June 2021.
The implementation of AASB 1059 ‘Service Concession Arrangements: Grantors’ resulted in a net increase in assets of $23.5 billion across the Transport cluster.
The 2020–21 audits identified six high-risk and 45 moderate risk issues across the cluster. Fourteen of the moderate risk issues were repeat issues, including information technology controls around management of user access for key financial systems and payroll processes.
The high-risk issues, in addition to those related to TAHE and previously reported in the report on State Finances 2021, include:
- absence of conflict of declarations related to land acquisition processes at Transport for NSW
- no evidence of conflict of interest declarations obtained by TAHE from consultants and contractors regarding involvement in other engagements.
What we recommended
TAHE needs to:
- finalise revised commercial agreements to reflect fees detailed in a Heads of Agreement signed on 18 December 2021
- prepare robust projections and business plans to support the required rate of return.
NSW Treasury and TAHE should monitor the risk that control of TAHE assets could change in the future.
Transport for NSW needs to significantly improve its processes to ensure all key information is identified and shared with the Audit Office.
Transport agencies should implement a process to ensure conflicts of interest declarations are completed for land acquisitions and applied consistently across the cluster.
Transport agencies should implement a process to capture all contracts and agreements entered to ensure:
- agencies are aware of contractual obligations
- financial reporting implications are assessed, particularly with respect to leases, revenue and service concession arrangements.
Fast facts
The Transport cluster plans and delivers infrastructure and integrated services across all modes of transport. This includes road, rail, bus, ferry, light rail, cycling and walking. There are 11 agencies in the cluster.
- $128b road and maritime system infrastructure assets as at 30 June 2021
- 100% unqualified audit opinions were issued on agencies 30 June 2021 financial statements
- 26 monetary misstatements were reported in 2020–21
- $24.9b rail systems infrastructure assets as at 30 June 2021
- 6 high-risk management letter findings were identified
- 37% of reported issues were repeat issues
This report provides Parliament and other users of the transport cluster (the cluster) agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:
- financial reporting
- audit observations.
Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of agencies in the cluster for 2021.
Section highlights
|
Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.
This chapter outlines our observations and insights from our financial statement audits of agencies in the cluster.
Section highlights
|
Findings reported to management
The number of findings reported to management has increased, and 37 per cent of all issues were repeat issues
Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.
In 2020–21, there were 73 findings raised across the cluster (56 in 2019–20) and 37 per cent of all issues were repeat issues (43 per cent in 2019–20).
In view of the recent performance audit ‘Managing Cyber Risks’ and compliance audit ‘Compliance with the NSW Cyber Security Policy’ involving the cluster, it is noted with concern that the most common repeat issues related to weaknesses in controls over information technology user access administration and password management. Moderate risk issues included completeness and accuracy of contract registers, accounting for assets and management of supplier and payroll masterfiles.
A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports, and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Control deficiencies may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation, and central agency policies.
The table below describes the common issues identified across the cluster by category and risk rating.
| Risk rating | Issue |
| Information technology | |
| Moderate: 7 new, 4 repeat** |
The financial audits identified opportunities for agencies to improve information technology processes and controls that support the integrity of financial data used to prepare agencies' financial statements. Of particular concern are issues associated with:
|
| Low: 4 new, 1 repeat*** | |
| Internal control deficiencies or improvements | |
| High: 1 new* |
The financial audits identified internal control deficiencies across key business processes, including:
|
| Moderate: 15 new, 8 repeat** | |
| Low: 2 new, 5 repeat*** | |
| Financial reporting | |
| High: 3 new* |
The financial audits identified opportunities for agencies to strengthen financial reporting, including:
|
| Moderate: 3 new, 1 repeat** | |
| Low: 2 new*** | |
| Governance and oversight | |
| High: 1 new* |
The financial audits identified opportunities for agencies to improve governance and oversight processes, including:
|
| Moderate: 2 new** | |
| Non-compliance with key legislation and/or central agency policies | |
| High: 1 new* |
The financial audits identified the need for agencies to improve its compliance with key legislation and central agency policies, including:
|
| Moderate: 4 new, 1 repeat** | |
| Low: 1 new, 7 repeat*** | |
** Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
*** Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
Note: Management letter findings are based either on final management letters issued to agencies.
2020–21 audits identified six high-risk findings
High-risk findings were reported at the following cluster agencies.
| Agency | Description |
| 2020–21 findings | |
| Transport for NSW (new finding) |
Declaration of conflicts of interest in the land acquisition process In 2021, we conducted a performance audit over the Acquisition of 4–6 Grand Avenue, Camellia which examined:
The report made several recommendations over Transport for NSW’s internal policies and procedures to guide the land acquisition process. As part of the financial audit, we obtained an understanding of key controls and processes relating to the acquisition of land, relevant to the audit of the financial statements. We found that conflicts of interests were not always declared by all officers involved in the land acquisition process. Furthermore, processes for declaring conflicts of interests are not consistently applied across cluster agencies. Out of a sample of 19 land acquisitions tested, we identified:
Management advised that the land acquisition processes, at the time of the land acquisitions, did not require formal conflicts of interests to be declared as they believe that as per Transport for NSW code of conduct, declaration is only required where the staff member considers that a potential or perceived Conflict of Interest exists. However, Transport for NSW's Procurement Policy requires the documentation of formal declarations from all staff involved in procurement activities to formally disclose any conflicts of interest or state that they do not have a conflict of interest. This matter has been included as a high-risk finding in the management letter as absence of rigorous and consistent management of conflicts of interests, and non-compliance with established policies increases the risk that Transport for NSW may be exposed to reputational damage or financial losses in relation to land acquisitions. Furthermore, this may result in lack of probity or value-for money considerations during the land acquisition process. Further details are elaborated below under 'Land acquisitions'. |
| Transport Asset Holding Entity of New South Wales (new finding) |
Control over TAHE assets and operations The State-Owned Corporations Act 1989 maintains that all decisions relating to the operation of a statutory state-owned corporation (SOC) are to be made by or under the authority of the board. However, under the Transport Administration Act 1988 (TAA), the functions of TAHE may only be exercised under one or more operating licences issued by the portfolio minister. The current Operating Licence confers terms and conditions for TAHE to carry out its functions, and imposes constraints on TAHE, including (but not limited to):
Such operating licences are short term in nature, and the TAA allows the transport minister (portfolio minister) to grant one or more operating licences to TAHE and may amend, substitute, or impose, amend or revoke conditions of the operating licence. For the current year, the legal form of the arrangements established in its first year of operation imply TAHE has control over the assets based on the Implementation Deed and the agreements signed with the public operators. However, risks remain as TAHE is in its early stages, and the actual substance of operations will need to be observed and considered. Given the restrictions that can be placed on the entity through the Operating Licence, and the ability to make further changes to the Operating Licence and Statement of Expectations set by the portfolio minister, there is a risk there could be limitations placed on the Board of Directors to operate with sufficient independence in its decision-making with respect to the operations of TAHE. Over time, this may further impact the degree of control required by TAHE to satisfy the recognition criteria over its assets. It may also fundamentally change the presentation of TAHE’s financial statements. Future limitations to the degree of control TAHE, and its Board, can exercise over its functions may impact the degree of control TAHE has over its assets going forward. As part of the 2021–22 audit, we will monitor and assess whether, in substance, these assets continue to be controlled by TAHE and whether, in substance, TAHE can operate as an independent SOC. We require management continue to demonstrate that TAHE continues to maintain control over its assets and has the ability to operate as an independent SOC. Further details are described below under 'Transport Asset Holding Entity'. |
| Transport Asset Holding Entity of New South Wales (new finding) |
Asset valuation The final updated valuation was based on cash flows that were in a signed Heads of Agreement, which stated that it set out the proposed indicative future access and licence fees which will form the basis of the negotiations between TAHE, Transport for NSW, Sydney Trains and NSW Trains, who will work together to review access fees and licence fees payable under the agreements and to make all necessary changes to the Operating Agreements by 1 July 2022. This adds uncertainty in the cash flows. It is crucial that TAHE formalises these updated fees in legally binding signed access and licence agreements with the relevant parties as soon as possible. Refer below for further details on the Heads of Agreement. |
| Transport Asset Holding Entity of New South Wales (new finding) |
Conflict of interest (COI) management For procurement transactions through direct negotiation with single quotes, there was no evidence of COI declarations obtained from the consultants and contractors regarding involvement in other engagements. Contractors and consultants are required to declare actual COI. However, there was no requirement to confirm nil conflict of interest. In addition, there is a risk that perceived COI may not be adequately assessed or managed. TAHE is expected to operate as an independent SOC and would need to ensure any perceived or actual conflict of interest is adequately addressed. Management should implement a process to:
The declarations should consider individuals and relationships that may create, or may be perceived to create, conflicts of interest. |
| Transport Asset Holding Entity of New South Wales (new finding) |
Detailed business modelling to support returns On 18 December 2021, Transport for NSW, TAHE and the operators, Sydney Trains and NSW Trains entered into a Heads of Agreement (HoA). This HoA forms the basis of negotiations to revise the pricing within the existing 10-year contracts and deliver upon the shareholders' expectation of a return of 2.5 per cent per annum of contributed equity, including recovering the revaluation loss incurred in 2020–21. TAHE needs to revise its business plan and include detailed business modelling that supports the shareholding ministers' revised expectations of return (2.5 per cent return on the State’s equity injections and recovery of the write-down of assets over the average useful life of those assets) and align the business plan and Statement of Corporate Intent. This requires more detailed projections, estimates and plans that support how TAHE expects to recover the asset write-down and expected returns to government. The current modelling for ten years needs to be enhanced with modelling over the expected recovery period of approximately 33 years. |
| Transport Asset Holding Entity of New South Wales (new finding) |
Access price build-up Management explained that in determining access and licence fees for the agreements with Sydney Trains and NSW Trains, assets prior to the commencement of equity injections in 2015–16 were excluded from the calculations. Management explained the premise being that these assets were previously funded by government through capital grants. The replacement and refurbishment of these assets is expected to be through government funded maintenance performed through the public rail operators and/or the equity injections from NSW Treasury rather than through access and licence fees. |
The number of moderate risk findings increased from prior year
Forty-five moderate risk findings were reported in 2020–21, representing a 73.1 per cent increase from 2019–20. Of these, 14 were repeat findings, and 31 were new issues.
Key moderate risk findings related to:
- weaknesses in user access management to key financial systems
- management of contracts and agreements register
- management of supplier and payroll masterfiles
- accounting for assets
- control deficiencies at service organisations
- segregation of duties relating to the hiring of employees
- conflict of interest management
- annual leave management
- review of internal audit charter
- disaster recovery planning.
Transport Asset Holding Entity of New South Wales
Background
The establishment of TAHE was originally announced by the NSW Government in the 2015–16 State Budget. On 1 July 2020, the former Rail Corporation New South Wales (RailCorp), a not-for-profit entity, transitioned to the Transport Asset Holding Entity of New South Wales (TAHE), a for-profit statutory state-owned corporation under the Transport Administration Act 1988. There was no change in the structure of TAHE as a new entity was not created. Ownership remains fully with the government. TAHE, and the former RailCorp, were both classified as Public Non-Financial Corporation (PNFC) entities within the Total State Sector Accounts.
Prior to 1 July 2015, the government paid appropriations to Transport for NSW, a General Government Sector (GGS) agency, to construct transport assets. When completed, these assets were granted to the former RailCorp, a not for-profit entity within the PNFC sector. The grants to the former RailCorp were recorded as an expense in the State’s GGS budget result.
From 1 July 2015, the government announced the creation of TAHE (a dedicated asset manager). Funding for new capital projects was to be provided through equity injections and was no longer recorded as an expense to the GGS budget, even though the business model was yet to be determined. The change, as explained in the 2015–16 State Budget, was due to the expectation that the former RailCorp will transition to TAHE, which was intended, over time to provide a commercial return. That Budget also highlighted how the change, which was largely a change in the basis of accounting, was intended to improve the GGS budget result each year. In total, the GGS has contributed approximately $11.1 billion to TAHE since 2015–16. This includes the equity injections from the GGS to TAHE made in the current year of $2.4 billion.
NSW Treasury initially set a timetable for the stand-up of TAHE of 1 July 2019, which included finalising the business model, operating model and contracts for the use of TAHE's assets. The enactment of the Transport Administration Act 1988 resulted in RailCorp transitioning to TAHE on 1 July 2020, 12 months after its originally planned operational date. Contributions paid to the former RailCorp and subsequently to TAHE by the GGS were treated as equity investments from July 2015 forward. This treatment continued, despite delays in settling the business model. In 2020, the Audit Office raised a high-risk finding due to the significance of the financial reporting impacts and business risks for NSW Treasury and TAHE.
The business model adopted and the flow of funds between transport agencies in the GGS and PNFC sectors is shown in the diagram below. For further details refer to the Report on State Finances 2021.
Appendix one – Misstatements in financial statements submitted for audit
Appendix two – Early close procedures
Appendix three – Financial data
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Local government business and service continuity arrangements for natural disasters
What the report is about
Natural disaster events, including bushfires and floods, have directly impacted some local councils in New South Wales over recent years. It is important for local councils to effectively plan so that they can continue operations through natural disasters and other disruptions.
This audit assessed the effectiveness of Bega Valley Shire Council and Snowy Valleys Council’s approaches to business and service continuity arrangements for natural disasters.
What we found
Bega Valley Shire Council has a documented approach to planning for business and service continuity that provides for clear decision making processes and accountability.
Bega Valley Shire Council has prepared for identified natural disaster risks to business and service continuity but can do more to monitor how it has implemented controls responding to these risks.
Bega Valley Shire Council did not follow all aspects of its business continuity plan in responding to the 2019–20 bushfires.
Bega Valley Shire Council can do more to ensure its business continuity management approach is regularly reviewed and updated, and that staff are regularly trained in its implementation.
Snowy Valleys Council did not have a finalised approach to ensure business and service continuity until October 2020. Now in place, this approach identifies governance, assigns roles and responsibilities, and includes procedures to retain or resume services. That said, the Council has not adequately documented key elements of its business continuity management approach.
Snowy Valleys Council's strategic risk register identifies that natural disasters may impact its ability to deliver services, but the Council has not identified controls to respond to these risks.
During the 2019–20 bushfires, in the absence of a business continuity plan, Snowy Valleys Council relied on the local knowledge of its staff to manage service continuity in line with directions from the Local Emergency Operations Controller and the combat agency (the Rural Fire Service).
Both councils advised that, during the 2019–20 bushfires, services were maintained, sometimes with adaptation and sometimes with support from other councils, NSW Government and Australian Government agencies.
What we recommended
Bega Valley Shire Council should update and regularly review its business continuity plans, provide business continuity training, and improve its monitoring of risk controls and actions, including for natural disaster impacts.
Snowy Valleys Council should document and monitor all disruption-related risks and controls, regularly review and update its business continuity plans, and progress planned actions to increase staff awareness of business continuity plans.
Across both councils, we recommended that recordkeeping relating to service delivery during natural disasters should be adequate to inform post incident reviews and future updates to business continuity.
Fast facts
- Multiple natural disasters affected the audited councils in 2019–20:
- bushfires in 2019–20
- storms and floods in January 2020
- storms and floods in July and August 2020
- storms and floods in October 2020.
- 6,279km2 Size of Bega Valley Shire Council (area)
- 2,203km2 Area burnt within Bega Valley Shire Council in 2019–20 bushfires
- 8,959km2 Size of Snowy Valleys Council (area)
- 3,339km2 Area burnt within Snowy Valleys Council in 2019–20 bushfires.
Natural disaster events, including bushfires and floods, have directly impacted some local councils in New South Wales over recent years. Given their important role in delivering essential services to their communities, it is important for local councils to effectively plan so that they can continue operations through natural disasters and other disruptions.
Business continuity plans are a widespread mechanism used by governments and private sector organisations to ensure they are prepared to respond effectively to disruptions. In New South Wales, business continuity plans are widely used by local councils to help ensure continuity of service delivery, safety and availability of staff, availability of information technology systems and other systems, financial management and governance. There are no current sector-wide requirements or policies for business continuity management issued by the Department of Planning and Environment (DPE)1 for NSW councils. As such, councils can develop their own business continuity management frameworks.
Our 'Report on Local Government 2020' considered the financial and governance impacts from recent natural disaster events on local councils in New South Wales. It also considered sector-wide trends in business continuity planning, including how many councils enacted or updated their business continuity plans in 2019–20.
The report found that all councils were impacted by emergency events, and that some councils changed their governance, policies, systems, and processes to respond to the emergency events. Sixty-five per cent of councils updated their business continuity plan as a response to recent emergency events, and 43 per cent of councils updated their disaster recovery plan.
This audit follows on from the 'Report on Local Government 2020' with a detailed examination of the effectiveness of business and service continuity arrangements for natural disasters in two councils.
The selected councils for this audit were Bega Valley Shire Council and Snowy Valleys Council. They were selected because they had been heavily impacted by the 2019–20 bushfires and other natural disaster events, such as storms and floods between December 2018 to December 2020.
The objective of this performance audit was to assess the effectiveness of the councils' approaches to business and service continuity arrangements for natural disasters. In making this assessment, we considered whether the selected councils:
- had documented approaches for identifying, mitigating, and responding to disaster-related risks to business and service continuity
- effectively implemented strategies to prepare for identified disaster-related impacts
- responses during selected disasters were effective in managing business and service continuity.
Conclusion - Bega Valley Shire Council
Bega Valley Shire Council has a documented approach to planning for business and service continuity that provides for clear decision-making processes and accountability.
Since 2018, the council has prepared for identified natural disaster risks to business and service continuity, but can do more to monitor how it has implemented controls responding to these risks.
Bega Valley Shire Council did not follow all aspects of its business continuity plan in responding to the 2019–20 bushfires.
The council can do more to ensure its business continuity management approach is regularly reviewed and updated, and that staff are regularly trained in its implementation.
Bega Valley Shire Council has a documented approach to business continuity management that is integrated with its broader approach to enterprise risk management and is supported by clear decision-making processes and accountability. This includes a business continuity plan (BCP), BCP subplans, and a business impact analysis (BIA). The council made changes to its BIA in 2019 following the 2018 Tathra bushfires within its local government area (LGA), but its BCP and BCP subplans have not been updated since 2016 and key information is out of date.
Bega Valley Shire Council has identified high-level controls and strategies to mitigate disaster-related risks and undertakes post incident reviews to capture lessons following a disaster, but many high-risk actions resulting from those reviews remain outstanding.
Bega Valley Shire Council identified risks, controls, and actions to prepare for natural disaster impacts between 2018 to 2020. However, the council has not effectively monitored implementation of the identified controls. Bega Valley Shire Council has only partially implemented the actions and recommendations from internal reviews that identified gaps in its business continuity management approach.
Bega Valley Shire Council did not follow all aspects of its business continuity plan in responding to the 2019–20 bushfires, instead relying on the local knowledge of its staff. The council has not provided BCP scenario training since 2015 and has not monitored completion rates of its online business continuity management training for staff.
Bega Valley Shire Council did not keep records of its decision of whether to enact its BCP during the 2019–20 bushfires, but advised its ability to follow the BCP was not possible due to the scale and impact of the bushfires surpassing the expectations included in its BCP and BCP subplans.
The council advised that essential council-led services were largely maintained during the disaster, sometimes with adaptation of services, and sometimes with support from other councils, NSW Government and Australian Government agencies.
As Bega Valley Shire Council did not maintain formal records of service disruptions for most services, did not follow all aspects of its BCP during the 2019–20 bushfires, and because it requested and received support from other agencies, we are unable to assess the impact of its planning and preparation activities on the continuity of services.
Bega Valley Shire Council took actions during the 2019–20 bushfires to communicate key service changes to staff, residents, and stakeholders, and regularly sought feedback on residents' experiences.
Bega Valley Shire Council could improve the effectiveness of its business continuity management approach by undertaking regular staff training (including scenario training) and ensuring that its business continuity management framework is routinely updated to reflect current practice and current staff.
Conclusion - Snowy Valleys Council
Snowy Valleys Council did not have a finalised approach to ensure business and service continuity until October 2020. Now in place, this approach identifies governance, assigns roles and responsibilities and includes procedures to retain or resume services. That said, the council has not adequately documented key elements of its business continuity management approach.
Snowy Valleys Council's risk register identifies that natural disasters may impact its ability to deliver services, but the council has not identified controls to respond to these risks.
During the 2019–20 bushfires, in the absence of a business continuity plan (BCP) or BCP subplans, the council relied on the local knowledge of its staff to manage service continuity in line with directions from the Local Emergency Operations Controller and the combat agency (the Rural Fire Service).
Snowy Valleys Council did not have a finalised BCP, BCP subplans, or BIA until after the 2019–20 bushfires. The council finalised most of its business continuity management framework in late 2020 and this framework now establishes governance, including assigning roles and responsibilities, and identifies contingencies and procedures to retain or resume critical services.
There are gaps in how Snowy Valleys Council has documented key elements of its business continuity management approach. The council advised it has completed a BIA, but has not retained the completed version of this document as it was not managed under Snowy Valleys Council's record management procedures. Some of the council's BCP subplans have gaps in process information and contact details which means BCP subplan owners and other potential users may not have access to accurate, up to date information when responding to a disruption event.
The council advised it provided BCP scenario training in 2016, 2018, and 2021, but was unable to provide any evidence of the 2018 training. As the current BCP and BCP subplans were only finalised in 2021, the 2016 and 2018 training were based on the previous BCP framework, developed under the former Tumut Shire Council. Additionally, the council advised it has developed BCP awareness training for staff as part of induction training, but has not provided a clear timeframe for implementing this training.
The council undertakes post incident reviews after most service disruption events, but has not undertaken a post incident review of the 2019–20 bushfires, despite its significant impact within the Snowy Valleys Council LGA.
Snowy Valleys Council advised that it identifies and mitigates or controls for disaster related risks within broader enterprise-wide risk assessments. Snowy Valleys Council’s strategic risk register identifies the risk of natural disasters to service delivery, but does not identify preventative controls or resilience strategies to mitigate these risks. The council monitors and improves the resilience of some assets as part of its regular operations of maintaining assets but does not clearly link such actions to how they contribute to reducing the risk of natural disaster related impacts. Snowy Valleys Council advises it works with other agencies, such as the Rural Fire Service and the local Bush Fire Management Committee, to plan for bushfire risks.
In the absence of a BCP or BCP subplans, Snowy Valleys Council relied on individual team members to manage service continuity during the 2019–20 bushfires based on directions by the local Emergency Operations Controller, and the Rural Fire Service. The council advised that the delivery of essential council-led services was largely maintained during the 2019–20 bushfires, sometimes with adaptation and support from other NSW Government and Australian Government agencies. Snowy Valleys Council took actions during the 2019–20 bushfires to communicate key service changes to staff, residents, and stakeholders, and regularly sought feedback on residents' experiences.
As Snowy Valleys Council did not maintain formal records of any service disruptions and did not have a finalised business continuity management approach in place to guide its response during the 2019–20 bushfires, we are unable to assess the impact of its planning and preparation activities on the continuity of services.
Appendix one – Responses from councils and the Department of Planning and Environment
Appendix two – Emergency management arrangements for local councils
Appendix three – About the audit
Appendix four – Performance auditing
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.
Parliamentary reference - Report number #362 - released 17 February 2022.
