What the report is about

The results of Treasury cluster agencies' financial statement audits for the year ended 30 June 2021. The results of the audit of the NSW Government's consolidated Total State Sector Accounts (TSSA), which are prepared by NSW Treasury, are reported separately in our report on State Finances 2021.

What we found

Unmodified audit opinions were issued for all Treasury cluster agencies.

The number of identified monetary misstatements increased from 16 in 2019–20 to 24 in 2020–21.

Reported corrected monetary misstatements decreased from 15 in 2019–20 to seven with a gross value of $1.1 billion in 2020–21.

The largest corrected misstatement was in NSW Treasury's financial statements and was a $1 billion correction to administered borrowings.

Reported uncorrected monetary misstatements increased from one in 2019–20 to 17 with a gross value of $168 million in 2020–21.

Seven of the 2020–21 uncorrected misstatements related to one common decision relating to investment management funds terminated during the year by the NSW Treasury Corporation (TCorp).

All agencies submitted their 2020–21 financial statements within NSW Treasury's reporting deadlines.

What the key issues were

Significant audit findings were identified with respect to NSW Treasury's processes to prepare the NSW Government's consolidated TSSA (whole of government accounts). This included one extreme finding and several high-risk findings related to NSW Treasury processes. These are reported in our report on State Finances 2021.

Two high-risk issues raised in 2019–20 were also not addressed by NSW Treasury during the year and were repeat issues reported to management. These related to the appropriations framework and resolution of cross cluster payments, and instances where some agencies spent deemed appropriations money without an authorised delegation.

A number of previously reported audit findings and recommendations with respect to icare continue to be ongoing issues, namely:

• The Workers Compensation Nominal Insurer continues to hold less assets than the estimated present value of its future payment obligations.
• The Workers Compensation Nominal Insurer's four week return-to-work rate fell from 68% to 64%. This is below icare's 70% target. Contributing factors include COVID-19 lockdowns which have impacted claims handling processes, and increased barriers to claimants returning to work.
• Instances were noted where inadequate documentation was kept on file to support claims, including pre-injury average weekly earnings (PIAWE) calculations.

The Workers Compensation (Dust Diseases) Authority increased its outstanding claims liability by $93.9 million, which included $39.3 million to remediate historical underpayments, resulting from workers not being paid the rate required by existing legislation.

The icare Board approved a new approach for remediating PIAWE underpayments on 24 September 2021, the date the Workers Compensation Nominal Insurer’s financial statements were approved for issue. The impact of the decision on the financial statements was not discussed with the Audit Office and assessed as an ‘after balance date event’.

What we recommended

Our report on State Finances 2021 made several recommendations to improve NSW Treasury processes. These included:

• improve processes to ensure information is shared with audit on a timely basis
• seek legislative amendments to resolve statutory inconsistencies relating to statutory reporting time frames
• implement effective quality review processes over key accounting information
• establish a policy to determine the minimum expected rate of return on equity injections in other public sector entities
• prepare robust financial projections to support accounting decisions
• re-confirm sector classifications of TAHE, Sydney Trains and NSW Trains
• ensure sufficient oversight of its use of consultants and assess the risk of an overdependence on consultants at the cost of internal capability
• improve disclosures of equity injections invested in other public sector entities
• determine a state-wide policy on when borrowings are recognised in agency financial statements
• make legislative amendments to ensure expenditure incurred across financial years does not exceed the appropriation authority and assess the financial reporting impact
• improve the guidance provided to agencies to ensure expenditure of public money is properly supported by authorised delegations.

We also recommended icare should ensure:

• it has sufficient controls over claim payments including an effective quality assurance program, to minimise claim payment errors
• that documentation to support injured worker benefit calculations is appropriately maintained, and the documentation requirements are set out in a policy
• the impact of ‘after balance date events’ on financial statements is appropriately assessed
• its operational practices are improved to ensure the correct payment of claims in compliance with legislative requirements. icare also needs to act on a timely basis on received legal advice and amend operational practices to ensure correct payments are made.

This report focuses on agencies within the Treasury cluster and provides parliament and other users of the Treasury cluster's financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

NSW Treasury also prepares the consolidated NSW whole of government financial statements (the Total State Sector Accounts), which is reported in the report on State Finances 2021.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making is enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Treasury cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Treasury cluster.

Findings reported to management

The number of findings reported to management has decreased, but 30% of all issues were repeat issues and these need greater focus and prioritisation

Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include observations, related implications, recommendations and risk ratings.

In 2020–21, there were 57 findings raised across the cluster (71 in 2019–20), 30% of which were repeat issues (32% in 2019–20).

The most common repeat issues related to claims processing and information technology user access administration.

A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, affect service delivery and expose agencies to fraud, financial loss and reputational damage. Poor controls may also mean agency staff are less likely to follow internal policies, inadvertently causing the agency not to comply with legislation, regulation and central agency policies.

The table below describes the common issues identified across the cluster by category and risk rating.

The number of moderate risk findings decreased from prior year

There were 21 moderate risk findings reported in 2020–21, representing a 30% decrease from 2019–20. Of these, ten were repeat findings, and 11 were new issues.

Moderate risk repeat findings include:

• claims processing weaknesses including claim payment errors, and inadequate documentation to support calculations and evidence claims were reviewed by someone with appropriate delegation
• inadequate review of user access and higher risks of unintended or unauthorised system access
• controls assurance reports from an outsourced service provider did not cover the services it provided to the government agency
• failure to review procurement contracts register to ensure it is accurate and complete
• ongoing control deficiencies with grant application and approval processes
• key policies including delegations not being reviewed in a number of years and do not incorporate new requirements from more recent legislation
• quality review processes failing to identify material classification errors associated with grant funding.

NSW Treasury related matters

Accounting for the Government's investment in Transport Asset Holding Entity

A total of seven recommendations were made with respect to NSW Treasury's processes to prepare the NSW Government's consolidated whole of government accounts (the TSSA). This included one extreme risk finding and six high risk findings. The extreme finding related to NSW Treasury needing to significantly improve its processes to ensure all key information is identified and shared with the Audit Office on a timely basis. Other high-risk findings were identified which resulted in the following recommendations for NSW Treasury:

• establishing a policy to determine the minimum expected rate of return on the GGS equity injections in other public sectors entities and report on the performance of these GGS investments in the TSSA, including how much and what type of returns the government is obtaining from its investments compared to its targeted return
• facilitate revised commercial agreements to reflect access and license fees that were agreed in the 18 December 2021 Heads of Agreement between Transport for NSW, TAHE and the operators Sydney Trains and NSW Trains
• with TAHE, prepare robust projections and business plans to support GGS investment returns beyond FY2031.
• liaising with the ABS to re-confirm the classification of TAHE, NSW Trains and Sydney Trains as entities within the PNFC sector
• monitoring the risk that control of TAHE assets could change in future reporting periods and the implications on the TSSA
• consider whether there is sufficient competent oversight of its use of consultants and assess the risk of an over dependence on consultants at the cost of internal capability.

More details on the recommendations to NSW Treasury relating to its accounting for the GGS investment in TAHE are included on pages 7 to 24 of the State Finances 2021 NSW Auditor-General’s Report to Parliament. 

Borrowings of $1 billion were understated by NSW Treasury

NSW Treasury, a GGS agency, made agreements to borrow $1 billion from New South Wales Treasury Corporation (TCorp), a PFC sector agency. Some of these agreements were entered as early as 17 May 2021 and all agreements for borrowings were entered into before 30 June 2021. However, NSW Treasury requested that settlement of those additional borrowings be deferred until 1 July 2021.

As TCorp raised the funds before 30 June 2021, it recognised a financial asset and liability to NSW Treasury on 30 June 2021. Despite TCorp having raised the funds by 30 June 2021 under the mutually agreed trade deal, NSW Treasury did not recognise any borrowings at year end on the basis that it requested the settlement date and receipt of cash to be deferred to past the balance sheet date. This led to an understatement of debt liabilities of $1 billion by NSW Treasury, and an inconsistent accounting treatment between the two agencies. NSW Treasury subsequently corrected the misstatement after the matter was raised by the audit, resulting in the GGS recognising $1 billion in financial assets and borrowings at 30 June 2021.

More detail on these inconsistencies is on page 37 of the State Finances 2021 NSW Auditor-General’s Report to Parliament. We recommended NSW Treasury seek develop a state-wide accounting policy for borrowings which ensure correct and consistent accounting treatment between agencies and sectors.

Inconsistencies exist in the GSF Act and GSA Act related to key statutory timeframes

There are inconsistencies between key statutory reporting timeframes imposed on the Treasurer and Auditor-General for the Consolidated State Financial Statements (the Statements) in the Government Sector Finance Act 2018 (GSF Act) and Government Sector Audit Act 1983 (GSA Act). Ambiguity in the statutory reporting timeframes could impact on the future timely provision of this information to Parliament. More detail on these inconsistencies is on page 54 of the State Finances 2021 NSW Auditor-General’s Report to Parliament. We recommended NSW Treasury seek legislative amendments in Parliament to resolve these inconsistencies.

NSW Treasury lacks a framework to monitor and provide assurance to ministers that they are in compliance with their appropriation authority

In July 2021, NSW Treasury highlighted a potential issue associated with certain cross-cluster payments which was based on advice received from the Crown Solicitor in January 2021. After being made aware of the issue, the Audit Office obtained its own advice on matters related to the appropriations framework under relevant state legislation. In the advice to the Audit Office, the Crown Solicitor advised that an agency is not subject to its own legally appropriated expenditure limit (assuming it is not subject to any annual spending limit imposed through an instrument of delegation or a budget control authority issued by the Treasurer under section 5.1 of the GSF Act). In effect, because responsible ministers are given appropriations, these legal expenditure limits, rest in aggregate, with the principal department and agencies the minister is responsible for. It is not possible for an individual agency to monitor or determine at what ‘point in time’ expenditure has been incurred in excess of the minister’s appropriation authority and there is currently no framework to monitor this.

Further detail on this matter is on pages 54 to 56 of the State Finances 2021 NSW Auditor-General’s Report to Parliament. In this report, we recommended that NSW Treasury:

• ensure a framework exists to monitor and provide assurance to ministers that expenditure incurred across a financial year by agencies under the relevant minister's coordination does not exceed the appropriation authority conferred by the annual Appropriations Act and the GSF Act
• assess how the requirement to prepare a Summary of Compliance under Australian Accounting Standards impacts relevant principal departments and cluster agencies financial statement disclosures.

Agencies have again spent monies without an authorised delegation

In the State Finances NSW Auditor-General's Report to Parliament for 2020 and 2021 we reported instances where agencies spent money received from an annual appropriation and/or deemed appropriation money without an authorised delegation from the relevant minister(s) as required by sections 4.6(1) and 5.5(3) of the GSF Act. Further detail on this matter is on pages 56 to 57 of the State Finances 2021 NSW Auditor-General’s Report to Parliament. In this report, we recommended NSW Treasury promptly improve the guidance it provides agencies to ensure that expenditure of public monies is properly supported by authorised delegations.

Control deficiencies at NSW Treasury's service providers

NSW Treasury's business processes and information technology services were provided by Infosys, Unisys and the Department of Customer Service during 2020–21. Together this constitutes the GovConnect environment.

The GovConnect information technology general controls (ITGC) were qualified in 2020–21. The key controls over user access, system changes and batch process failed in all ITGC reports. Most of these deviations were not mitigated or sufficiently mitigated to address the risk of unauthorised user access.

In response to the internal control qualifications, the audit teams performed data analytics over payroll and accounts payable to obtain reasonable assurance that these control deficiencies did not materially impact on relevant agencies' financial statements.

Refer to the Customer Service 2021 NSW Auditor-General’s Report to Parliament for further details.

Insurance related matters

icare is in the process of implementing organisational reform in response to findings in recent external reviews. These reviews have identified 151 recommendations for icare to improve in the areas of risk and governance, performance, and culture and accountability. The reviews include the April 2021 McDougall Review, and the February 2021 ‘Independent Review of icare governance, accountability and culture’ which was recommended by SIRA in the Dore Report.

All of these recommendations were accepted by icare and are expected to be addressed through their ‘Improvement Program’. As at February 2022, icare report that 21 have been addressed, 139 are in progress, and 15 still to commence.

A number of the observations referred to in this report were also identified in the above reviews and are expected to be actioned as part of the improvement program.

Workers Compensation Nominal Insurer (the Nominal Insurer)

The Nominal Insurer’s net asset deficiency at 30 June 2021

Last year's Central Agencies Report to Parliament reported that the Workers Compensation Nominal Insurer (the Nominal Insurer), the NSW Self Insurance Corporation and the Lifetime Care and Support Authority of New South Wales all had negative net assets at 30 June 2020. After strong investment returns in 2020–21, only the Nominal Insurer continued to have negative net assets at 30 June 2021.

The Nominal Insurer's negative net assets of $252.9 million at 30 June 2021 ($316.2 million at 30 June 2020) means that it still does not hold sufficient capital to meet the estimated present value of its future payment obligations, when measured in accordance with the accounting framework. The financial statements continued to be prepared on a going concern basis because the future payment obligations are not all due for settlement within the next 12 months.

As noted in section 2.4 ‘Key accounting issues’, icare changed from an 'Accounting Ratio', to an 'Insurance Ratio', to assess the Nominal Insurer’s capital position from 2020–21. The insurance ratio uses a (higher) discount rate based on the expected earnings rate on the Nominal Insurer’s assets, rather the ‘risk free’ rate which is used for financial reporting.

Last year's Report to Parliament also noted that the deterioration in the value of the Nominal Insurer’s net assets has resulted in its funding ratio at 30 June 2020 being outside of the ‘target operating zone’ set by the Board of icare. The Insurance Ratio at 30 June 2021 is 122%, which is less than icare's target operating zone of over 130%.

icare is assessing how it can increase the Nominal Insurer’s funding ratio, and advises that actions taken to date include the execution of the Nominal Insurer Improvement Program (the Improvement Program) and an increase in premium rates.

icare were given approval by the State Insurance Regulatory Authority (SIRA) to increase workers compensation premium rates from 1.4% to 1.44%  of wages (2.9%) for the 2021–22 policy year. icare advises that their pricing strategy for workers compensation premiums is for ‘modest increases over the medium term’.

Return-to-work rates have worsened

Last year's Central Agencies Report to Parliament noted that the Nominal Insurer has experienced deteriorating return-to-work rates since late 2017. According to data published by SIRA, the Nominal Insurer’s monthly four week return-to-work rate has continued to decline, falling from 68% at 30 June 2020 to 64% at 30 June 2021, and down to 63% at 30 September 2021.

A key assumption when measuring the Nominal Insurer’s outstanding claims liability, is the amount of time that injured workers will remain on benefits (i.e. continuance rates). This assumption is significantly aligned with return-to-work rate measures. At 30 June 2021, the liability was increased by $296 million due to changes in continuance rate assumptions, with workers expected to remain on benefits longer. This change is consistent with the fall in four week return-to-work rates.

The four week return-to-work rate trend since August 2017 is shown in the graph below.

Appendix one - Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Appendix five – Acquittals and other opinions

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Planning, Industry and Environment cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Planning, Industry and Environment cluster agencies' financial statements audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all completed 30 June 2021 financial statements audits of cluster agencies. Three audits are ongoing.

An 'Other Matter' paragraph was included in the Independent Planning Commission's (the IPC) audit opinion because the prior year comparative figures were not audited. Prior to 2020–21, the IPC was not required to prepare separate financial statements under the Public Finance and Audit Act 1983 (PF&A Act). The financial reporting provisions of the Government Sector Finance Act 2018 now require the IPC to prepare financial statements.

The number of identified misstatements increased from 51 in 2019–20 to 54 in 2020–21.

The 2010–11 to 2019–20 audits of the Water Administration Ministerial Corporation’s (the Corporation) financial statements are incomplete due to insufficient records and evidence to support the transactions of the Corporation, particularly for the earlier years. Management has commenced actions to improve the governance and financial management of the Corporation. These audits are currently in progress and the 2020–21 audit will commence shortly.

There are 609 State controlled Crown land managers (CLMs) across New South Wales that predominantly manage small parcels of Crown land.

Eight CLMs prepared and submitted 2019–20 financial statements by the revised deadline of 30 June 2021. A further 24 CLMs did not prepare financial statements in accordance with the PF&A Act. The remaining CLMs were not required to prepare 2019–20 financial statements as they met NSW Treasury's financial reporting exemption criteria.

The Department of Planning, Industry and Environment's (the department) preliminary assessment indicates that 60 CLMs are required to prepare financial statements in 2020–21. To date, no CLMs have prepared and submitted financial statements for audit in 2020–21.

There are also 120 common trusts that have never submitted financial statements for audit. Common trusts are responsible for the care, control and management of land that has been set aside for specific use in a certain locality, such as grazing, camping or bushwalking.

What the key issues were

The number of matters we reported to management increased from 135 in 2019–20 to 180 in 2020–21, of which 40 per cent were repeat findings.

Seven high-risk issues were identified in 2020–21:

• system control deficiencies at the department relating to user access to HR and payroll management systems, vendor master data management and journal processing, which require manual reviews to mitigate risks
• deficiencies related to the Centennial Park and Moore Park Trust's tree assets valuation methodology
• the Lord Howe Island Board did not regularly review and monitor privileged user access rights to key information systems
• the Natural Resources Access Regulator identified and adjusted three prior period errors retrospectively, which indicate deficiencies within the financial reporting processes
• deficiencies relating to the Parramatta Park Trust's tree assets valuation methodology
• lease arrangements have not been confirmed between the Planning Ministerial Corporation and Office of Sport regarding the Sydney International Regatta Centre
• the Wentworth Park Sporting Complex land manager (the land manager) has a $6.5 million loan with Greyhound Racing NSW (GRNSW). GRNSW requested the land manager to repay the loan. However, the land manager subsequently requested GRNSW to convert the loan to a grant. Should this request be denied, the land manager would not be able to continue as a going concern without financial support. This matter remains unresolved for many years.

There continues to be significant deficiencies in Crown land records. The department uses the Crown Land Information Database (CLID) to record key information relating to Crown land in New South Wales that are managed and controlled by the department and land managers (including councils and land managers controlled by the state). The CLID system was not designed to facilitate financial reporting and the department is required to conduct extensive adjustments and reconciliations to produce accurate information for the financial statements.

The department is implementing a new system to record Crown land (the CrownTracker project). The department advised that the project completion date will be confirmed by June 2022.

What we recommended

The department should ensure CLMs and common trusts meet their statutory reporting obligations.

Cluster agencies should prioritise and action recommendations to address internal control deficiencies, with a focus on addressing high-risk and repeat issues.

The department should prioritise action to ensure the Crown land database is complete and accurate. This will allow the department and CLMs to be better informed about the Crown land they control.

This report provides parliament and other users of the Planning, Industry and Environment cluster (the cluster) agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statements audits of agencies in the Planning, Industry and Environment cluster.

Appendix one - Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

• develop and implement a plan to uplift the Essential 8 controls to the agency's target state
• as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
• ensure cyber security risk reporting to executives and the Audit and Risk Committee
• collect supporting information for the CSP self assessments 
• classify all information and systems according to importance and integrate this with the crown jewels identification process
• require more rigorous analysis to re-prioritise CDP funding 
• increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

• clarify the requirement for the CSP reporting to apply to all systems
• require agencies to report the target level of maturity for each mandatory requirement.

Response to requests by audited agencies to remove information from this report

In preparing this audit report, I have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to agencies’ systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in this audit.

In making this assessment, the audit team consulted with Transport for NSW (TfNSW), Sydney Trains, and Cyber Security NSW to identify content which could potentially pose a threat to the agencies’ cyber security.

In December 2020, my office also provided TfNSW and Sydney Trains with a detailed report of many of the significant vulnerabilities identified in this audit, to enable the agencies to address the cyber security risks identified. The detailed report was produced as a result of a 'red team' exercise, which was conducted with both agencies' knowledge and consent. The scope of this exercise reflected the significant input provided by both agencies. More information on this exercise is at page 12 of this report.

TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified. As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community. I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.

It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose.

It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

That said, the conclusions drawn in this report are significant in terms of risk and remain valid, and the recommendations should be acted upon with urgency.

Cyber security risk is an increasing area of concern for governments in Australia and around the world. In recent years, there have been a number of high-profile cyber security attacks on government entities in Australia, including in New South Wales. Malicious cyber activity in Australia is increasing in frequency, scale, and sophistication. The Audit Office of New South Wales is responding to these risks with a program of audits in this area, which aim to identify the effectiveness of particular agencies in managing cyber risks, as well as their compliance with relevant policy.

Cyber Security NSW, part of the Department of Customer Service (DCS) releases and manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies, including making it mandatory for agencies to implement the Australian Cyber Security Centre Essential 8 Strategies to Mitigate Cyber Security Incidents (the Essential 8). The Essential 8 are key controls which serve as a baseline set of protections which agencies can put in place to make it more difficult for adversaries to compromise a system. Agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

The CSP makes agencies responsible for identifying and managing their cyber security risks. The CSP sets out responsibilities and governance regarding risk identification, including making agencies responsible for identifying their 'crown jewels', the agency's most valuable and operationally vital systems. Once these risks are identified, agencies are responsible for developing a cyber security plan to mitigate those risks.

This audit focussed on two agencies: Transport for NSW (TfNSW) and Sydney Trains. TfNSW is the lead agency for the Transport cluster and provides a number of IT services to the entire cluster, including Sydney Trains. This audit focussed on the activities of TfNSW's Transport IT function, which is responsible for providing cyber security across the cluster, as well as directly overseeing four of TfNSW's crown jewels. Sydney Trains is one of the agencies in the Transport cluster. While it receives some services from TfNSW, it is also responsible for implementing its own IT controls, as well as controls to protect its Operational Technology (OT) environment. This OT environment includes systems which are necessary for the operation and safety of the train network.

To test the mitigations in place and the effectiveness of controls, this audit involved a 'red team' simulated exercise. A red team involves authorised attackers seeking to achieve certain objectives within the target's environment. The red team simulated a determined external cyber threat actor seeking to gain access to TfNSW's systems. The red team also sought to test the physical security of some Sydney Trains' sites relevant to the agency's cyber security. The red team exercise was conducted with the knowledge of TfNSW and Sydney Trains.

This audit included the Department of Customer Service as an auditee, as they have ownership of the CSP through Cyber Security NSW. This audit did not examine the management of cyber risk in the Department of Customer Service.

This audit assessed how effectively selected agencies identify and manage their cyber security risks. The audit assessed this with the following criteria:

• Are agencies effectively identifying and planning for their cyber security risks?
• Are agencies effectively managing their cyber security risks?

Following this in-depth portfolio assessment, the Auditor-General for NSW will also table a report on NSW agencies' compliance with the CSP in the first quarter of 2021–22.

Agencies have assessed their cyber risks as being above acceptable levels

An agency's risk tolerance is the amount of risk which the agency will accept or tolerate without developing further strategies to modify the level of risk. Risks that are within an agency's risk tolerance may not require further mitigation and may be deemed acceptable, while risks which are above the agency's risk tolerance likely require further mitigation before they become acceptable to the agency.

Both agencies have defined their risk tolerance and have identified risks which are above this level, indicating that they are unacceptable to the agency. TfNSW has defined 'very high' risks as generally intolerable and 'high' risks as undesirable. Its risk tolerance is 'medium'. Sydney Trains has four classifications of risk: A, B, C and D. A and B risks are deemed 'unacceptable' and 'undesirable' respectively, while C risks are considered 'tolerable'. This aligns with the TfNSW definition of a medium risk tolerance.

Transport IT reported five enterprise-level cyber security risks through its enterprise risk reporting tool in September 2020, all of which relate to cyber security or have causes relating to cyber security. These risks are in aggregate form, rather than relating to specific vulnerabilities. At the time of the audit, one of these risks was rated as very high and the other four rated as high. At this time, Transport IT had identified a further seven divisional-level risks which were above the agency’s risk tolerance.

Similarly, Sydney Trains has identified one main cyber security risk in its IT enterprise-level risk register and another with a potential cyber cause. Both of these IT risks are deemed to have a residual risk of ‘unacceptable’.

Similarly, two cyber-related OT risks have been determined to be above the agency's risk tolerance. One risk is rated as 'unacceptable'. Another risk, while not entirely cyber rated, is rated 'undesirable' and is deemed to have some causes which may stem from a cyber-attack.

Agencies have assessed their current cyber risk mitigations as requiring improvement

In addition to the risk ratings stated above, at the time of the audit neither agency believed that its controls were operating effectively. Transport IT had rated the control environments for its cyber security enterprise risks as 'requires improvement'. Mitigations were listed in the risk register for these risks but, in some cases, they were unlikely to reduce the risk to the target state or by the target date. For example, one risk had actions listed as 'under review' and no further treatment actions listed, but a due date of July 2021, while another risk was being treated by the CDP with a due date of July 2021. The CDP identified in May 2020 that while the average risk identified as part of that program will be reduced to a medium level by this date, ten high risks will still remain. Given the delays in the program, this number may be higher. As such, it seems unlikely that the enterprise risk will be reduced to below a 'high' level by July 2021.

Sydney Trains’ IT and OT risk registers cross-reference controls and mitigations against the causes and consequences. The IT cyber security risk identified in the register had causes with no mitigations designed for them. Further, some of these causes did not have future mitigations designed for them. This risk also had controls in place which are identified as partially effective. For the unacceptable OT risk noted above, while there was a control designed for each of the potential causes, Sydney Trains had identified all of the controls in place as either partially effective or ineffective. This indicates that Sydney Trains was not effectively mitigating the causes of its cyber risks and, even where it had designed controls or mitigations, these were not always implemented to fully mitigate the cause of the risk.

Additional information on gaps in cyber mitigations which were exposed in the course of this audit has been detailed to both agencies. The Foreword of this report provides information about why this detail is not included here.

Essential 8 maturity is low across TfNSW and Sydney Trains and little progress was made in 2020

CSP mandatory requirement 3.2 states that agencies must implement the ACSC Essential 8. Agencies must also rate themselves against each of the Essential 8 on a maturity scale from zero to three and report this to Cyber Security NSW. A full list of the Essential 8 can be found in Exhibit 1. Both agencies have a low level of maturity against the Essential 8 not just in comparison to the targets they have set, but also in relation to the risks and vulnerabilities exposed. Both agencies have set target maturity ratings for the Essential 8 but none of the Essential 8 ratings across either agency are currently implemented to this level. Having a low level of Essential 8 maturity exposes both agencies to significant risks and vulnerabilities. Little progress was made between the 2019 and 2020 attestation periods.

Transport IT has set a target rating of three across all of the Essential 8. Sydney Trains has set a target rating of three for its IT systems. Sydney Trains had an interim target of two for its OT systems in 2020 and advised that this has since increased to three. It should be noted that not all the Essential 8 are applicable to OT systems.

None of the Essential 8 ratings across either agency are currently implemented to the target levels. Given that the Essential 8 provide the controls which are most commonly able to deter cyber-attacks, having maturity at a low level potentially exposes agencies to a cyber security attack.

Some work is underway across both TfNSW and Sydney Trains to improve the Essential 8 control ratings. The CDP provided some resources to the Essential 8 over 2019–20, with uplift focusing on specific systems. The CDP work in 2019 and 2020 relevant to the Essential 8 largely focussed on determining the current state of the Essential 8 and creating a target state roadmap. As a result, there was little improvement between the 2019 and 2020 attestation periods. The CDP has a workstream for the Essential 8 in its FY 2020–21 funding allocation, however as noted above in Exhibit 6 this was delayed as resources were redeployed to Project La Brea. Regardless, work on some specific aspects of the Essential 8 remain part of the 2020–21 CDP allocation, with workstreams allocated to improving three of the Essential 8. In addition, some work from Project La Brea should lead to an improvement in the Essential 8.

Sydney Trains' Cyber Uplift Program included a workstream which had in scope the uplift in the Essential 8 in IT. There were also other workstreams which aimed to improve some of the Essential 8 for OT systems. Work is also ongoing as part of the CDP to uplift these scores in Sydney Trains.

TfNSW and Sydney Trains have not reached their target maturity across the CSP mandatory requirements and TfNSW has not evaluated its cluster-wide target to ensure it is appropriate

Cyber Security NSW allows each agency to determine its target level of maturity for the first 20 CSP mandatory requirements. Agencies can tailor their target levels to their risk profile. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles.

Sydney Trains has set its target level of maturity for IT and OT. All of Sydney Trains' target maturity levels are at least a three (defined), with a target of four (quantitatively managed) for many of the mandatory requirements. While Cyber Security NSW does not currently mandate a minimum level of maturity, in 2019 there was a requirement for each agency to target a minimum level of three.

Sydney Trains has not met its target ratings across the mandatory requirements.

The Transport Cyber Defence Rolling Program has a program KPI to ensure that the entire cluster reaches a minimum maturity level of three against all the CSP requirements by 2023. TfNSW has not reviewed its CSP mandatory requirement targets to determine if a three is desirable for all requirements or if a higher target level may be more appropriate. It is important for senior management to set cyber security objectives as a demonstration of leadership and a commitment to cyber security.

TfNSW has not met its target ratings across the mandatory requirements for its Group IT ISMS, which was the focus of this audit.

Both agencies claimed progress in their implementation of the mandatory requirements between 2019 and 2020. The audit did not seek to verify the self-assessed results from either agency.

Both agencies operate ISMS in line with the CSP

CSP mandatory requirement 3.1 requires agencies to implement an Information Security Management System (ISMS) or Cyber Security Framework (CSF), with scope at least covering systems identified as the agency's ‘crown jewels’. The ISMS or CSF should be compliant with, or modelled on, one or more recognised IT or OT standard. As noted in the introduction, an ISMS ‘consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organisation, in the pursuit of protecting its information assets.’ Both agencies operate an ISMS compliant with the CSP requirement.

As noted in the introduction, TfNSW operates four ISMS. The Transport IT ISMS is certified against ISO27001, the most common standard for ISMS certification. Three of TfNSW’s six crown jewels are managed within this ISMS. The other ISMS are not certified to relevant standards, though TfNSW claims that they align with relevant controls. This is sufficient for the purposes of the CSP.

Sydney Trains operates two ISMS, one for IT and another for OT. Neither of these are certified to relevant ISMS Standards, however there have been conformance reviews of both IT and OT with relevant standards. These ISMS cover all crown jewels in the agency.

There are currently 11 ISMS in operation across the Transport cluster. TfNSW has proposed moving towards a holistic approach to these ISMS, with the CDP Board responsible for governing the available security controls and directing agency IT and OT teams to implement these.

Agencies are not routinely conducting audits of third-party suppliers to ensure compliance with contractual obligations

CSP mandatory requirement 1.5 makes agencies accountable for the cyber risks of their ICT service providers and ensuring that providers comply with the CSP and any other relevant agency security policies. The ACSC has provided advice on what organisations should do when managing third party suppliers of ICT. The ACSC advises that organisations should use contracts to define cyber security expectations and seek assurance to ensure that these contract expectations are being met. While both agencies usually include specific cyber security expectations in contracts, neither is routinely seeking assurance that these expectations are being met.

The NSW Government has mandated the use of the 'Core& One' contract template for low-value IT procurements and the Procure IT contract template for high-value IT procurements. Both of these contracts contain space for the procuring agency to include cyber security controls for the contractor to implement. The Procure IT contract template also includes a right-to-audit clause which allows agencies to receive assurance around the implementation of these controls. TfNSW and Sydney Trains used the mandated contracts for relevant contracts examined as part of this audit.

TfNSW included security controls in all the contracts examined as part of this audit. Compliance with ISO27001 was the most commonly stated security expectation. Of the contracts examined as part of this audit, only one contract did not have a right-to-audit clause. This contract was signed in October 2016. While these clauses are in place, TfNSW rarely conducted these audits on its third-party providers. Of the eight TfNSW contracts examined in detail, only two of these had been audited to confirm compliance with the stated security controls.

Sydney Trains included security controls in all but one of the contracts examined as part of this audit. Sydney Trains did not require contractors to be compliant with ISO27001, but only required compliance with whole-of-government policies. Sydney Trains does not routinely conduct audits of its third-party suppliers, however it did conduct deep-dive risk analyses of its top ten highest risk IT suppliers. This involved a detailed review of both the suppliers' security posture and also the contract underpinning the relationship with the supplier.

The CDP funding for 2020–21 includes a workstream for strategic third-party contract remediation. This funding is to conduct some foundational work which will allow the CDP to make further improvements in future years. While this funding will not address gaps in contract requirements or management across all contracts, this workstream aims to reduce the risks posed by strategic suppliers covering critical assets. Similarly, work is currently underway as part of the CDP to conduct OT risk assessments for key suppliers to Sydney Trains in a similar way to the work undertaken for IT suppliers.

Sydney Trains has risk assessed its third-party suppliers but TfNSW has not done so

It is important to conduct a risk assessment of suppliers to identify high-risk contractors. This allows agencies to identify those contractors who may require additional controls stated in the contract, those who require additional oversight, and also where auditing resources are best targeted.

Sydney Trains has risk assessed all its IT suppliers and, as noted above, has conducted a deep-dive risk analysis of its top ten highest risk suppliers. TfNSW has not undertaken similar analysis of its key suppliers, however it has identified risks attached to each of its strategic suppliers and has documented these. As a result of not risk assessing its suppliers, TfNSW cannot take a targeted approach to its contract management.

TfNSW demonstrated poor records handling relating to the contracts examined as part of this audit

TfNSW was not able to locate one of the contracts requested as part of the audit's sample. Other documentation, such as contract management plans, could not be located for many of the other contracts requested as part of this audit. These poor document handling practices limits TfNSW's ability to effectively oversee service providers and ensure that they are implementing agreed controls. It also limits public transparency on the effectiveness of these controls.

The Transport cluster is not effectively implementing cyber security awareness training

Agencies are responsible for implementing regular cyber security education for all employees and contractors under mandatory requirement 2.1 in the CSP. TfNSW is responsible for delivering this training to the whole Transport cluster, including Sydney Trains. The Transport cluster has basic cyber awareness training available for all staff. TfNSW also offers additional training provided by Cyber Security NSW targeted at executives and executive assistants. While TfNSW has training available to staff, it is not delivering this effectively. TfNSW does not make training mandatory for most staff nor does it require staff to repeat training regularly. Even among those staff who have been assigned the training, completion rates are low, meaning that delivery is not effectively monitored. Cyber security training is important for building and supporting a cyber security culture.

TfNSW is responsible for creating and rolling out all forms of training to agencies within the Transport cluster. Both TfNSW and Sydney Trains have the same mandatory cyber awareness training that is automatically assigned to new starters. At the time of the audit, this training was not mandatory for ongoing staff. TfNSW does make additional cyber security training available to staff who can choose to undertake the training themselves, or can be assigned the training by their manager. All TfNSW cyber security training is delivered via online modules and it is the responsibility of managers to ensure that it is completed.

Cyber security training completion rates for both TfNSW and Sydney Trains are low. Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021. Although this course is mandatory for new starters, only 53 per cent of staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021. As a result, only 7.2 per cent of staff across the entire Transport cluster had completed this training at that time. In Sydney Trains, less than one per cent of staff had completed this training as at January 2021 and a further 7.6 per cent of staff have completed the 'Cyber Security: Beyond the Basics' training. These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.

In October 2020, the Department of Customer Service released 'DCS-2020-05 Cyber Security NSW Directive - Practice Requirement for NSW Government', which made annual cyber security training mandatory for all staff from 2021. In line with this requirement, TfNSW has advised that it will be gradually implementing mandatory annual training from July 2021 for all staff.

The Transport cluster undertakes activities to build a cyber-aware culture in accordance with the CSP, but awareness remains low

Increasing staff awareness of cyber security risks and maintaining a cyber secure culture are both mandatory requirements of the CSP. While TfNSW does undertake some activities to build a cyber aware culture, awareness of cyber security risks remains low. This can be demonstrated by the low training rates outlined above, and the 'Spot the Scammer' exercise, described in Exhibit 7. TfNSW is responsible for delivering these awareness raising activities across the cluster.

TfNSW frequently communicates with staff across the Transport cluster about various cyber security risks through multiple avenues. Both agencies use the intranet, emails and other awareness raising activities to highlight the importance for staff to be aware of the seriousness of cyber risks. Advice given on the intranet includes tips for spotting scammers on mobile phones, promoting the cluster-wide training courses, as well as various advice that staff could use when dealing with cyber risks in the workplace.

In addition to these awareness raising activities, TfNSW has also undertaken a cluster-wide phishing email exercise called 'Spot the Scammer'. This is outlined in Exhibit 7. This exercise was carried out in 2019 and 2020 and allowed the Transport cluster to measure the degree to which staff were able to identify phishing emails. As can be seen in Exhibit 7, the results of this exercise indicate that staff awareness of phishing emails remains low.

Appendix one – Response from agencies

Appendix two – Cyber Security Policy mandatory requirements

Appendix three – About the audit

Appendix four – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #353 - released (13 July 2021).

The Auditor-General for New South Wales, Margaret Crawford, has today released a report on Transport for NSW’s (TfNSW) acquisition of 4–6 Grand Avenue in Camellia.

This audit, which was requested on 17 November 2020 by the Hon. Andrew Constance MP, the Minister for Transport and Roads, examined:

• whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
• whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.

The audit found that TfNSW conducted an ineffective process when it purchased 4–6 Grand Avenue, Camellia. The audit also found that TfNSW’s internal policies and procedures to guide the transaction were, and continue to be, insufficient.

The Auditor-General has made seven recommendations to address the issues identified in the report.

On 17 November 2020, the Hon. Andrew Constance MP, the Minister for Transport and Roads, requested this audit under section 27B(3)(c) of the Public Finance and Audit Act 1983.

On 15 June 2016, Transport for New South Wales (TfNSW) acquired 6.3 hectares of land at 4–6 Grand Avenue, Camellia, by agreement from Grand 4 Investments Pty Ltd. Grand 4 Investments was a business entity established by the owners of Billbergia Pty Ltd, a property development and investment company.

TfNSW paid Grand 4 Investments $53.5 million and assumed liability for addressing environmental issues and contamination associated with the site. This took place seven months after the vendor acquired the land as part of a competitive Expression of Interest process, in which TfNSW also participated, for $38.15 million.

TfNSW is the NSW Government agency responsible for most major transport infrastructure projects in New South Wales. TfNSW acquired the Camellia site for use as a stabling and maintenance depot to support the Parramatta Light Rail (PLR) project.

Consistent with the minister’s request, this audit assessed:

• whether TfNSW conducted an effective process to purchase 4–6 Grand Avenue, Camellia
• whether TfNSW has effective processes and procedures to identify and acquire property required to deliver the NSW Government’s major infrastructure projects.

In considering the effectiveness of the processes for this purchase, the audit considered:

• the requirements of the Land Acquisition (Just Terms Compensation) Act 1991 (the Act)
• the application of sound processes to manage risk to the NSW Government and to achieve value for money
• the application of disciplines associated with complex procurement, such as probity, in a NSW Government context.

In 2015, TfNSW identified that it would require a stabling and maintenance depot in the Camellia area for the Parramatta Light Rail

In 2014, TfNSW commissioned an external engineering consultancy to undertake a feasibility design study for the Parramatta Light Rail - the Parramatta Transport Corridor Strategy Feasibility Design study (herein referred to as ‘the feasibility study’). In early 2015, TfNSW received the feasibility study, which was one of several key sources that informed the development of business cases for the PLR.

The feasibility study recommended that TfNSW should consolidate the maintenance and cleaning operations with overnight stabling facilities on one site. The study noted that the optimal location for any such site would be in close proximity to the proposed network, and noted that the site must have access to road connections to accommodate access for cars and trucks.

The study found that a centrally located stabling and maintenance facility would be required for all routes serving the Parramatta CBD, and that the Camellia industrial area was a preferred location for such a facility. The study noted that the Camellia area was contaminated.

The feasibility study notes that its conclusions were based on assumptions about the light rail system adopted and decisions made by the future operator of the system, who had not yet been selected or appointed.

TfNSW's decision to progress a potential acquisition in 2015 considered the risk that the site may not be required

TfNSW's FIC was responsible for making decisions on funding allocations at a whole of program level within TfNSW. FIC was also responsible for approving ‘high-risk/high-value’ variations to program budgets. Members of the FIC included:

• Secretary of Transport for NSW
• Deputy Secretary, Infrastructure and Services
• Deputy Secretary, Freight, Strategy and Planning
• Deputy Secretary, Customer Services
• Deputy Secretary Finance and Investment
• Deputy Secretary People and Corporate Services.

An April 2015 submission, from the then Deputy Director-General to the agency’s FIC, sought authorisation and funding approval to participate in an Expression of Interest sale process. It noted the risk that the project may not go ahead. The submission advised that:

By acquiring a strategic site now, it reduces the risk of having to pay an improved value or a value that may be subject to rapidly improving land values due to changes in land use and rezoning.

The property can be acquired for the project, held strategically and income generated by leasing the site as hardstand ¹ space until the project requires the land for the Parramatta Light Rail project.

If the project does not proceed in the medium to longer term, the property can be sold at a premium to what has been paid today as property fundamentals improve.

This submission acknowledged the risks associated with environmental contamination and proposed that these risks would be managed by negotiating a contract where the remediation and associated expenses would be at the landowner’s cost. 

TfNSW assessed the 4–6 Grand Avenue site as one of several sites in Camellia that was a feasible location for a stabling and maintenance facility

The Departmental feasibility study assessed six potential sites for a stabling and maintenance facility, including 4–6 Grand Avenue, noting strengths and weaknesses of each site. A different site on Grand Avenue was assessed as the ‘base case’ option (1 Grand Avenue). The study’s comments on the 4–6 Grand Avenue site included the following:

With an area of approximately 63,000m², this site has sufficient space for a depot with the required stabling yard and maintenance facilities. The location allows for good road access and LRT [light rail transit] access would be from Grand Avenue, which may require a road crossing or signalised intersection. The site has been used for general industrial uses; however the land has been cleared and is currently undergoing remediation ². The site is not affected by flooding based on one in 100-year flood data.

In early 2015, once the opportunity to acquire 4–6 Grand Avenue emerged, TfNSW commissioned a specific feasibility study of the 4–6 Grand Avenue site. The feasibility studies clearly documented the existence of environmental contamination. In April 2015, the report concluded:

Given the limitations of this report and within the parameters that have been set it is concluded that from a spatial and geographic perspective the site at 6 Grand Avenue would be suitable as a stabling and maintenance depot for the Parramatta light rail project. There are few engineering and environmental constraints that would affect the feasibility level analysis of this site and all issues identified, within this desk study, are considered to be resolvable. However this being said there is a significant amount of work necessary to reach the final layout and definition of the stabling and maintenance depot. There are numerous items which require further consideration and conformation; planning approvals could impose restrictions on building heights, noise mitigation measures, light and visual impact requirements all of which can have significant impacts on the spatial requirements of any stabling and maintenance depot. 

The acquisition of 4–6 Grand Avenue was not informed by a Property Acquisition Strategy

For major projects, TfNSW typically requires the project team to complete a Property Acquisition Strategy, which is intended to guide both process as well as specific acquisition issues expected to be faced during the project. The Property Acquisition Strategy is not a mandated document but is a recommended tool to support property acquisition as part of major projects.

TfNSW did not have a Property Acquisition Strategy in place to guide the 2015 Expression of Interest process. On 6 November 2015, the then Project Director for the PLR project emailed the property team, noting a need to develop a Property Acquisition Strategy to close off the scoping design and preliminary business case.

In January 2016, TfNSW developed a draft Property Acquisition Strategy for the Parramatta Light Rail Project, although it was silent on the potential sites for the stabling and maintenance facility.

TfNSW focussed on 4–6 Grand Avenue because it was available and aligned to TfNSW's strategic interests

In early 2015, officials commenced monitoring the market for industrial real estate in the Camellia area and surrounds for possible sites for a stabling and maintenance facility.

In March 2015, then owner of the site, Akzo Nobel Pty Limited released the 4–6 Grand Avenue site through an Expression of Interest process managed by CBRE.

TfNSW’s then Deputy Director-General, Planning, sought approval from FIC to lodge an Expression of Interest up to $30.0 million. Approval was sought on the basis that it would ‘provide certainty for the Parramatta Light Rail project by allowing for a depot site in a suitable location and potentially avoid higher costs or longer timeframes associated with compulsory acquisition following completion of the project’s business case’. FIC approved the request at its meeting on 9 April 2015.

At this time, TfNSW had not conducted any analysis of financial or operational benefits and costs of the potential sites identified in earlier feasibility studies. TfNSW staff advised us that the decision to participate in the Expression of Interest process for 4–6 Grand Avenue was because it was available. There is no documentation substantiating this statement, which TfNSW staff provided verbally as part of this audit.

In November 2015, TfNSW was advised that it was unsuccessful in the Expression of Interest process and that Grand 4 Investments (a related entity of Billbergia) had purchased 4–6 Grand Avenue. TfNSW did not conduct any further analysis of alternative potential sites in Camellia between this date and commencing discussions with Grand 4 Investments in April 2016. In that time there had been some movement on other properties that were included in the feasibility study, including 37–39a Grand Avenue being under offer in September 2015.

In March 2016, TfNSW approached CBRE to organise a meeting with Grand 4 Investments. On 1 April 2016, TfNSW met with Grand 4 Investments.

TfNSW advises that a perceived benefit of the 4–6 Grand Avenue site was that it was not subject to other uses or leaseholds that would increase the cost of compulsory acquisition. Officers involved in the acquisition advised that other nominated sites in the feasibility study were subject to other uses or leaseholds. 

Appendix one – Response from agency 

Appendix two – About the audit 

Appendix three – Performance auditing

Copyright Notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #349 - released (18 May 2021).

This report analyses the results of our audits of the financial statements of the Treasury, Premier and Cabinet, Customer Service cluster agencies (central agencies), and the Legislature for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

2. Audit observations

This report provides Parliament and other users of NSW Government central agencies' financial statements and the Legislature's financial statements with the results of our financial audits, observations, analyses, conclusions and recommendations.

Emergency events, such as bushfires, floods and the COVID-19 pandemic significantly impacted agencies in 2019–20. Our findings on nine agencies that were most impacted by recent emergency events are included throughout this report.

Refer to Appendix one for the names of all central agencies and Appendix four for the nine agencies most impacted by emergency events.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely. This chapter outlines our audit observations on the financial reporting of central agencies and the Legislature for 2020, including the financial implications from recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines:

• our observations and insights from the financial statement audits of agencies in the central agencies and the Legislature
• our assessment of how well agencies adapted their systems, policies, procedures and governance arrangements in response to recent emergencies.

Appendix one – Timeliness of financial reporting by agency

Appendix two – List of 2020 recommendations

Appendix three – Status of 2019 recommendations

Appendix four – Agencies most impacted by recent emergency events

Appendix five – Management letter findings by agency

Appendix six – Financial data

This report provides parliament and other users of the Transport cluster’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations
• the impact of emergencies and the pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Transport cluster for 2020, including any financial implications from the recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

• observations and insights from our financial statement audits of agencies in the Transport cluster
• assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019, 2018 and 2017 recommendations

Appendix three – Management letter findings

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

This report analyses the results of our audits of financial statements of the Planning, Industry and Environment cluster agencies for the year ended 30 June 2020. The table below summarises our key observations.

1. Financial reporting

2. Audit observations

This report provides parliament and other users of the Planning, Industry and Environment cluster agencies’ financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations
• the impact of emergencies and the pandemic.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

The COVID‑19 Legislation Amendment (Emergency Measures–Treasurer) Act 2020 amended legislation administered by the Treasurer to implement further emergency measures as a result of the COVID‑19 pandemic. These amendments:

• allowed the Treasurer to authorise payments from the Consolidated fund until the enactment of the 2020–21 budget – impacting the going concern assessments of cluster agencies
• revised budgetary, financial and annual reporting time frames – impacting the timeliness of financial reporting
• exempted certain statutory bodies and departments from preparing financial statements.

This chapter outlines our audit observations related to the financial reporting of agencies in the Planning, Industry and Environment cluster for 2020, including any financial implications from the recent emergency events.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our:

• observations and insights from our financial statements audits of agencies in the Planning, Industry and Environment cluster
• assessment of how well cluster agencies adapted their systems, policies and procedures, and governance arrangements in response to recent emergencies
• review of how the cluster agencies managed the increased risks associated with new programs aimed at stemming the spread of COVID-19 and stimulating the economy.

Cluster agencies experienced a range of control and governance related issues in recent years. An increased number of high risk issues and greater proportion of repeat issues were identified as part of our audits. It is important for cluster agencies to promptly address these issues.

Appendix one – List of 2020 recommendations

Appendix two – Status of 2019 recommendations

Appendix three – Financial data

Appendix four – Management letter findings

Appendix five – Timeliness of financial reporting

Appendix six – Selected agencies for review of response to emergency events

The Auditor-General for New South Wales, Margaret Crawford today released her report on the findings and recommendations from the 2019–20 financial audits that relate to internal controls and governance at 40 of the largest agencies in the NSW public sector.

The bushfire and flood emergencies and the COVID‑19 pandemic continue to have a significant impact on the people and public sector of New South Wales. The scale of the government response to these events has been significant. The report focuses on the effectiveness of internal controls and governance processes, including relevant agencies’ response to the emergencies. In particular, the report focuses on:

• financial and information technology controls
• business continuity and disaster recovery planning arrangements
• procurement, including emergency procurement
• delegations that support timely and effective decision-making.

Due to the ongoing impact of COVID‑19 agencies have not yet returned to a business‑as‑usual environment. ‘Agencies will need to assess their response to the recent emergencies and update their business continuity, disaster recovery and other business resilience frameworks to reflect the lessons learnt from these events’ the Auditor-General said.

The report noted that special procurement provisions were put in place to allow agencies to better respond to the COVID-19 pandemic. The Auditor-General recommended agencies update their procurement policies to reflect the current requirements of the NSW Procurement Framework and the emergency procurement requirements.

Read the PDF report

This report analyses the internal controls and governance of 40 of the largest agencies in the NSW public sector for the year ended 30 June 2020. These 40 agencies constitute an estimated 85 per cent of total expenditure for all NSW public sector agencies.

1. Internal control trends

2. Information technology controls

3. Business continuity and disaster recovery planning

4. Procurement, including emergency procurement

5. Delegations

6. Status of 2019 recommendations

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies we found across agencies. The rest of this report presents this year’s controls and governance findings in more detail.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency business continuity and disaster recovery planning arrangements.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of procurement agency procurement policies and procurement activity.

This chapter outlines our audit observations, conclusions and recommendations, arising from our review of agency compliance with financial and human resources delegations.

Appendix one – List of 2020 recommendations 

Appendix two – Status of 2019 recommendations

Appendix three – Cluster agencies

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released her report today on State Finances for the year ended 30 June 2020.

‘I am pleased to once again report that I issued an unmodified audit opinion on the State’s consolidated financial statements,’ the Auditor-General said.

The report acknowledges this has been a challenging year, with New South Wales impacted by natural disasters and the COVID-19 pandemic.

The State’s Budget Result, reported in the financial statements, was a deficit of $6.9 billion. This is different to the 2019-20 budget forecast surplus of $1.0 billion and is an outcome of the government’s significant response to bushfires and COVID-19.

The report summarises a number of audit and accounting matters arising from the audit of the Total State Sector Accounts, a sector that comprises 291 entities controlled by the NSW Government with total assets of $495 billion and total liabilities of $256 billion.

Read full report (PDF)

Our audit opinion on the State’s 2019–20 financial statements was unmodified

An unmodified audit opinion was issued on the State’s 2019–20 consolidated financial statements.

The State extended signing its financial statements by six weeks.

Natural disasters, the COVID-19 pandemic and other factors impacted the State’s 2019–20 reporting timetable. The State extended signing its financial statements by six weeks, compared with 2018–19.

All agencies were also given a two-week extension to prepare their financial statements compared with 2018–19. Further extensions beyond two weeks were subsequently approved for the following 11 agencies (7 in 2018–19) to submit completed financial statements for audit:

• Department of Communities and Justice
• Department of Customer Service
• Department of Planning, Industry and Environment
• Department of Regional NSW
• Department of Transport
• Environment Protection Authority
• Infrastructure NSW
• Lord Howe Island Board
• NSW Crown Holiday Parks Land Manager
• Service NSW
• Water Administration Ministerial Corporation.

The extensions reflected that the COVID-19 pandemic impacted agencies’ work environments during the first six months of 2020. This was at a time when many were still implementing machinery of government changes and preparing to implement three significant new accounting standards:

• AASB 15 Revenue from Contracts with Customers (issued December 2014, effective 1 July 2019)
• AASB 16 Leases (issued February 2016, effective 1 July 2019)
• AASB 1058 Income of Not-for-profit entities (issued December 2016, effective 1 July 2019).

These new accounting standards were issued some years before they became effective, to allow reporting entities sufficient time to prepare for implementation. Notwithstanding this, some agencies had not fully implemented the new accounting standards in time for early close procedures, and the unforeseen impact of COVID-19 further complicated the year-end financial reporting processes for the State and its agencies.

The graph below shows the number of reported errors exceeding $20 million over the past five years in agencies’ financial statements presented for audit.

In 2019–20, agency financial statements presented for audit contained 19 errors exceeding $20 million (six in 2018–19). The total value of these errors increased to $1.4 billion ($927 million in 2018–19).

The errors resulted from:

• incorrectly applying Australian Accounting Standards and Treasury Policies
• incorrect judgements and assumptions when valuing noncurrent physical assets and liabilities
• incorrectly interpreting the accounting treatment for unspent stimulus funding.

Errors in agency financial statements exceeding $20m (2016–2020)

$4.1 billion in stimulus funding was allocated in 2019–20

The government implemented an economic stimulus package primarily to mitigate the impacts of the COVID-19 pandemic on New South Wales.

The COVID-19 pandemic and bushfires had a significant impact on the State’s finances, reducing its revenue and increasing its expenses especially in sectors directly responsible for responding to the COVID-19 pandemic, such as Health.

The government announced a $4.1 billion health and economic stimulus package in 2019–20. This primarily included:

• $2.2 billion in health measures including purchases of essential medical equipment and increasing clinical health capacity (like intensive care spaces)
• $1.0 billion in small business and land tax relief
• $355 million in extra cleaning services and quarantine costs.

Cluster agencies had spent $3.0 billion (just under 75 per cent) of the COVID-19 stimulus package by 30 June 2020.

The Health cluster incurred most of this expenditure.

Total spend relating to bushfires was $1.3 billion in 2019–20.

The graph below shows the total allocation and spend by cluster to 30 June 2020.

Economic stimulus allocation and spend by cluster to 30 June 2020

Deficit of $6.9 billion compared with a budgeted surplus of $1.0 billion

An outcome of the government’s overall activity and policies is its net operating balance (Budget Result). This is the difference between the cost of general government service delivery and the revenue earned to fund these sectors.

The General Government Sector, which comprises 199 entities, generally provides goods and services funded centrally by the State.

The Non-General Government Sector, which comprises 92 government businesses, generally provides goods and services, such as water, electricity and financial services that consumers pay for directly.

The Budget Result for the 2019–20 financial year was a deficit of $6.9 billion. The original budget forecast, set before the COVID-19 pandemic and bushfires, was a $1.0 billion surplus. The main driver of the change in result was:

• $1.3 billion of higher employee costs, mainly due to:
  • increased workers compensation claims
  • additional personnel required (mainly in the Health sector) to respond to the COVID-19 pandemic
• $2.3 billion of higher operating expenses, mainly due to:
  • $828 million from first time recognition of a child abuse claim liability
  • $507 million from additional insurance claims from the NSW bushfires
  • $343 million from COVID-19 claims by agencies for loss of revenue.
• $1.8 billion in higher grants and subsidy expenses, mainly due to:
  • small business grants
  • COVID-19 quarantine compliance measures
  • costs incurred in response to the 2019–20 bushfires, drought and disaster relief payments
  • third party-controlled assets that were subsequently transferred to councils and utility providers, mainly arising from construction of the CBD and South East Light Rail.

The deficit was further driven by:

• $1.9 billion less taxation revenue, mainly resulting from:
  • $1.3 billion less in payroll tax due to relief measures introduced by the government as part of its COVID-19 economic stimulus
  • $424 million less in gambling and betting taxes, due to venue closures required by COVID-19 public health orders
• $523 million less in dividends and income tax revenue from the Non-General Government Sector, due to lower dividends received from NSW Treasury Corporation and from the State’s other commercial government businesses
• lower fines, regulatory fees and other revenue, due to a $305 million decrease in mining royalties, largely driven by lower coal prices.

Main drivers of the 2019–20 actual vs. budget variance

Revenues increased $209 million to $86.3 billion

In 2019–20, the State’s total revenues increased by $209 million to $86.3 billion, 0.2 per cent higher than in 2018–19. COVID-19 impacted taxation revenue, which fell by $1.1 billion and revenue from the sale of goods and services, which fell by $1.1 billion. These falls were offset by a $2.5 billion (7.7 per cent) increase in grants and subsidies from the Australian Government, mainly in the form of additional stimulus funding.

Taxation revenue fell 3.5 per cent

Taxation revenue fell by $1.1 billion, mainly due to a:

• $861 million fall in payroll tax as a result of COVID-19 relief (reduced payroll tax payments for eligible small businesses)
• $430 million fall in stamp duty collections, driven by lower than expected growth in the property market
• $427 million decline in gambling and betting taxes, mainly due to venue closures driven by COVID-19 public health orders.

Stamp duties of $8.8 billion were the largest source of taxation revenue, $473 million higher than payroll tax, the second-largest source of taxation revenue.

Australian Government grants and subsidies

The State received $34.2 billion in grants and subsides which are mainly from the Australian Government, $2.4 billion more than in 2018–19.

The increase was driven by a $1.1 billion increase in Commonwealth Specific Purpose Payments to support the Health cluster respond to the COVID-19 pandemic. Commonwealth National Partnership Payments increased by a similar amount to provide the State with Natural Disaster relief.

Sales of goods and services

In 2019–20, sales of goods and services fell $1.1 billion. This was due to the COVID-19 pandemic reducing:

• patronage and related transport passenger revenue
• health billing activities with elective surgery being put on hold

Fines, regulatory fees and other revenues

Fines, regulatory fees and other revenues fell $505 million. This was mainly due to a $409 million decrease in mining royalties attributed to a drop in thermal coal prices during 2019–20.

Other dividends and distributions

Other dividends and distributions rose by $616 million due to higher distributions received from the State’s investments. This was due to an additional $1.3 billion held in the State’s investment portfolio compared with last year.

Expenses increased $8.2 billion to $96.0 billion

The State’s expenses increased 9.3 per cent compared with 2018–19. Most of the increase was due to higher employee expenses, other operating costs and grants and subsidies.

Employee expenses, including superannuation, increased 5.7 per cent to $42.6 billion.

Salaries and wages increased to $42.6 billion from $40.3 billion in 2018–19. This was mainly due to increases in staff numbers and a 2.5 per cent increase in pay rates across the sector. Salaries and wages for the Education and Health sectors increased by $659 million and $732 million in each sector respectively.

The Health sector employed an additional 2,763 full time staff in 2019–20. It also incurred more overtime in response to COVID-19. Education increased staff numbers by 4,866 full time equivalents and paid a one off 11 per cent pay rise to school administration staff in 2019–20. Historically, the government wages policy aims to limit growth in employee remuneration and other employee related costs to no more than 2.5 per cent per annum.

Operating expenses increased 8.7 per cent to $27.0 billion.

Operating expenses increased to $27.0 billion in 2019–20 ($24.8 billion in 2018–19) due to higher operating activities in Health. The higher level of activities and related costs is attributed to a full year of operations at the Northern Beaches Hospital (opened November 2018), and responding to COVID-19. The response to COVID-19 involved the State providing viability payments to private hospitals, higher visiting medical officer costs due to additional overtime hours and spending more on equipment to set up COVID-19 testing clinics.

Insurance claims increased by $2.0 billion. This was mainly due to NSW Self Insurance Corporation (SiCorp) recognising a liability for child abuse claims incurred but not reported for the first time, and claims for the 2019–20 bushfires, floods and COVID-19.

Health costs remain the State’s highest expense.

Total expenses of the State were $96 billion ($87.8 billion in 2018–19). Traditionally, the following clusters have the highest expenses as a percentage of total government expenses:

• Health – 24.3 per cent (25.8 per cent in 2018–19)
• Education – 17.6 per cent (19.3 per cent in 2018–19)
• Transport - 12.8 per cent (12.6 per cent in 2018–19).

General public service expenses as a percentage of total State expenses is higher due to a $2.0 billion increase in SiCorp’s accrued claim expenses.

Other expenses increased due to additional grant funding by the State for drought relief and COVID-19 stimulus spend.

Health expenses increased by $632 million compared with 2018–19 but fell as a proportion of total State expenses.

Education expenses remained stable compared with last year due to savings in student transportation costs primarily driven by COVID-19. This led to a decrease in the proportion of the State’s costs relating to education activities.

Grants and subsidies increased $2.5 billion to $14.1 billion.

The increase in grants and subsidies was due to payments the State made to support businesses and local communities in the face of COVID-19 and bushfires. In addition, the State transferred CBD and South East Light Rail assets to councils and utility providers during 2019–20 as it no longer controlled these.

Depreciation expense increased $1.0 billion to $9.2 billion.

Depreciation increased to $9.2 billion from $8.0 billion in 2018–19. At 1 July 2019, the State implemented the new leases standard recognising a right of use (ROU) asset and related lease liability in its financial statements. The value of ROU assets are amortised over the term of the lease. This contributed to $980 million of the increase in 2019–20 depreciation expense. Last year, these costs were previously reported within other operating expenses.

Assets grew by $28.0 billion to $495 billion

The State’s assets primarily include physical assets such as land, buildings and infrastructure, and financial assets such as cash, and other financial instruments and equity investments. The value of total assets increased by $28.0 billion to $495 billion. This was a six per cent increase compared with 2018–19, mostly due to changes in asset carrying values.

Of the State’s $28.0 billion increase in asset values, $9.3 billion was due to a new accounting standard requirement for operating leases to be valued and recorded on balance sheet for the first time.

AASB 16 Leases requires entities recognise values for right-ofuse assets (ROU) for the first time. An ROU asset is a lessee’s right to use an asset, the value of which is amortised over the term of the lease. This standard came into effect from 1 July 2019.

Valuing the State’s physical assets

The value of the State’s physical assets increased by $14.1 billion to $365 billion in 2019–20. The assets include land and buildings ($168 billion), infrastructure ($180 billion) and plant and equipment ($16.7 billion). A prior period error relating to the valuation of RMS infrastructure assets reduced the reported values by $1.0 billion from $352 billion to $351 billion at 30 June 2019.

The movement in physical asset values between years includes additions, disposals, depreciation and valuation adjustments. Other movements include reclassification of physical assets leased under finance leases to right of use assets upon adoption of AASB 16 Leases on 1 July 2019.

Movements in physical asset values

Liabilities increased $38.4 billion to $256 billion

The State borrowed additional funds in response to natural disasters and COVID-19.

The State’s borrowings rose by $33.9 billion to $113.8 billion at 30 June 2020. This accounted for most of the increase in the State’s total liabilities.

The value of TCorp bonds on issue increased by $25.2 billion to $97.0 billion to largely fund capital expenditure and costs associated with the bushfires, drought and COVID-19.

TCorp bonds are actively traded in financial markets and are guaranteed by the NSW Government.

Over 2019–20, TCorp continued to take advantage of lower interest rates, buying back short-term bonds and replacing them with longer dated debt. This lengthens the portfolio matching liabilities with the funding requirements for infrastructure assets.

With effect from 1 July 2019, AASB 16 Leases required the State to recognise liabilities for operating leases for the first time. This increased total lease liabilities from $5.3 billion at 30 June 2019 to $11.8 billion at 30 June 2020.

More than a third of the State’s liabilities relate to its employees. They include unfunded superannuation and employee benefits, such as long service and recreation leave.

Valuing these obligations involves complex estimation techniques and significant judgements. Small changes in assumptions and other variables, such as a lower discount rate, can materially impact the valuation of liability balances in the financial statements.

The State’s unfunded superannuation liability rose $300 million from $70.7 billion to $71.0 billion at 30 June 2020. This was mainly due to a lower discount rate of 0.87 per cent (1.32 per cent in 2018–19). The State’s unfunded superannuation liability represents the value of its obligations to past and present employees less the value of assets set aside to fund those obligations.

The State maintained its AAA credit rating

The object of the Fiscal Responsibility Act 2012 is to maintain the State’s AAA credit rating.

The government manages New South Wales’ finances in accordance with the Fiscal Responsibility Act 2012 (the Act).

The Act establishes the framework for fiscal responsibility and the strategy to maintain the State’s AAA credit rating and service delivery to the people of New South Wales.

The legislation sets out targets and principles for financial management to achieve this.

This year, the State’s credit rating from Standard & Poor’s changed from AAA/Stable to AAA/Negative. Moody’s Investors Service credit rating of Aaa/Stable did not change from the previous year.

The fiscal target for achieving this objective is that General Government annual expenditure growth should be lower than long term average revenue growth.

The State did not achieve its fiscal target of maintaining annual expenditure growth below the long-term revenue growth rate target of 5.6 per cent.

In 2019–20, General Government expenditure grew by 9.7 per cent (5.5 per cent in 2018–19).

Expenditure items that contributed most to the growth rate include:

• recurrent grants and subsidies (20.4 per cent)
• other operating expenses (9.5 per cent)
• employee costs (including superannuation) (5.6 per cent)

Recurrent grant and subsidy expenses increased by $2.8 billion in 2019–20 mainly due to the COVID-19 and natural disaster payments. Other operating expenses increased mainly due to a $2.0 billion increase in SiCorp insurance claims. This included the $828 million provision for child abuse claims incurred but not reported. The bushfires and COVID-19 pandemic also increased the number and cost of claims in 2019–20.

Superannuation funding position since inception of the Act - AASB 1056 Valuation

Appendix one - Prescribed entities

Appendix two - Legal opinions

The Auditor-General for New South Wales, Margaret Crawford, released a report today on how well four councils managed their local infrastructure contributions during the 2017-18 and 2018-19 financial years. 

Local infrastructure contributions, also known as developer contributions, are collected from developers to pay for local infrastructure such as drainage, local roads, open space and community facilities. Controls over local infrastructure contributions help to ensure that all contributions owed are collected, funds are spent as intended, and any contributions paid in the form of works-in-kind or dedicated land are correctly valued.

The audit found that Blacktown City Council and City of Sydney Council provided effective governance over their local infrastructure contributions whereas Central Coast and Liverpool City Councils’ governance arrangements require improvement.

The audit found that three councils had spent local infrastructure contributions in accordance with approved contributions plans. Central Coast Council and the former Gosford City Council had spent $13.2 million on administration costs in breach of the Environmental Planning and Assessment Act 1979. These funds were repaid into the council’s local infrastructure fund during the course of the audit.

The Auditor-General made a number of recommendations for each council relating to improving controls over contributions and increasing transparency. 

Read full report (PDF)
 

This audit examined the effectiveness of governance and internal controls over local infrastructure contributions, also known as developer contributions, held by four councils during the 2017–18 and 2018–19 financial years.

This performance audit was conducted with reference to the legislative and regulatory planning framework that was in place during that period.

Our work for this performance audit was completed at the end of March 2020 when we issued the final report to the four audited councils and the Department of Planning, Industry and Environment. We received their respective formal responses to the report’s recommendations during April and May 2020.

Concurrently to this audit, we sought Crown Solicitor’s advice (the ‘Advice’) regarding the use of local infrastructure contributions collected by local councils under the Environmental Planning and Assessment Act 1979 (‘the EPA Act’) for our financial audit work. The Advice clarified the applicable legislative requirements with reference to the application, investment and pooling of local infrastructure contributions. The Advice is included in Appendix 2 of this report. The Advice has not impacted on the findings and recommendations of this report.

Councils collect Local Infrastructure Contributions (LICs) from developers under the Environmental Planning and Assessment Act (1979), the Local Government Act (1993) and the City of Sydney Act (2000) (EP&A Act, LG Act and City of Sydney Act) to fund infrastructure required to service and support new development. At 30 June 2018, councils across NSW collectively held more than $3.0 billion in LICs collected from developers. Just over $1.37 billion in total was held by ten councils. Councils collecting LICs must prepare a contributions plan, which outlines how LICs will be calculated and apportioned across different types of infrastructure. Councils that deliver water and sewer services prepare a development servicing plan (DSP) which allows them to collect contributions for water and sewer infrastructure.

Development timeframes are such that there is often several years between when LICs are collected and the infrastructure is required. Good governance and internal controls are needed over these funds to ensure they are available when needed and spent appropriately.

This audit assessed the effectiveness of governance and internal controls over LICs collected by four councils during the 2017–18 and 2018–19 financial years: Blacktown City Council, Central Coast Council, City of Sydney Council and Liverpool City Council. As at June 2018 these councils held the four highest LIC balances, each in excess of $140 million.

A strong governance framework is important at each council to ensure that the funds are managed well, available when needed and spent as intended. The audit examined the following features of each council's governance framework as they apply to LICs:

• decision-making by councillors and council officers relating to LICs
• monitoring delivery of contributions plans and DSPs including:
  • reviewing assumptions underlying the plans
  • monitoring projected status of plans.

Internal controls over LICs are important to promote accountability, prevent fraud and deliver infrastructure to the required standard at the best possible price. If financial controls are weak or are not implemented well, there is a risk that LICs are misspent or that councils pay too much for infrastructure.

Not all councils' internal controls adequately addressed risks associated with the administration of LICs

The audit examined a number of internal controls that manage risks related to LICs. These included:

• financial controls over receipt and expenditure of LIC funds
• management of conflicts-of-interest when dealing with developers
• independent valuations of works-in-kind and dedicated land
• ensuring delivery and quality of works-in-kind, and obtaining security from developers in the event of non-delivery or poor quality work
• management of variations to VPAs and works-in-kind agreements.

We reviewed controls included in policies and procedures and then checked samples of work to ensure that controls were implemented. We found variation in the controls that councils implemented, and some weaknesses in controls. It is a matter for each council to assess their financial risk and develop internal controls that support the collection, management, and expenditure of LICs. However, councils must be able to assure their communities and developers that they are doing everything possible to collect all LICs owing and that work conducted by developers in lieu of cash payments is properly valued and carried out to the required standard.

Further information about audit findings in relation to internal controls for each council are included in chapters five to eight. The exhibit below demonstrates variation in several controls implemented in the audited councils.

In a 2018 report, the Independent Commission Against Corruption noted that 'the appetite for transparency is expanding in both the public and private sectors'.

The Practice Note and S64 Guidance refer to transparency, including the importance of transparency over:

• calculation and apportionment of LICs
• funding of infrastructure, including where and when infrastructure is delivered
• arrangements made with developers through VPAs.

The LIC system is largely transparent for community members who know where to look

Contributions plans and DSPs are public documents, exhibited to the public before being adopted by council. Councils included in the audit publish their contributions plans and DSPs on their websites and meet statutory requirements with regard to reporting and accessibility of information.

However, other public information relating to the LIC system is fragmented across different websites and reports and varies in detail across councils.

The Practice Note states that councils are accountable for providing the infrastructure for which contributions are collected. Demonstrating that infrastructure has been provided is difficult with fragmented information. As an example of transparent reporting, Blacktown City Council's 2018–19 annual report includes information about infrastructure that has been delivered for every contributions plan, providing transparency over how LICs have been spent.

Use of LICs collected under VPAs is not always transparent

Contributions collected under VPAs are not required to demonstrate the same relationship to a development as LICs collected under section 7.11 of the EP&A Act. VPAs are often negotiated because a developer requests a change to a planning instrument, and it is important that these arrangements, and their outcomes, are transparent to the community.

The EP&A Regulation includes mechanisms to ensure that VPAs are partially transparent. VPAs are exhibited to the public and approved by the elected council. Councils must maintain a VPA Register and make the VPA Deeds of Agreement available on request. However, there is no obligation on council to report on the outcomes or delivery of developers' obligations under VPAs. The four audited councils vary in transparency and accessibility of information available about VPAs.

The Practice Note suggests that councils incorporate the intended use of LICs collected under VPAs in the Deed of Agreement, but there is no guidance relating to transparency over where and when funds have actually been spent. There is merit in councils providing greater transparency over public benefits delivered through VPAs to give communities confidence in VPAs as a planning tool.

Credit arrangements with developers are not always well documented or monitored

When levying LICs, section 7.11(6) of the EP&A Act requires councils to take into account land, money, or works-in-kind that the developer has contributed on other development sites over and above their LIC obligations. This section of the EP&A Act allows a developer to offset a LIC owed on one site against land or works contributed on another. This leads to some developers carrying 'credits' for work delivered to councils, to be paid back by reduced LICs on a future development. Blacktown City Council and Central Coast Council allow developers to carry credits. Liverpool City Council and City of Sydney Council do not permit credits and instead pay the developers for any additional work undertaken.

Councils should formally document credit arrangements and have a robust process to validate and keep track of credit balances and report on them. Central Coast Council does not keep good track of credit arrangements and neither Blacktown City Council or Central Coast Council aggregate or report on outstanding credit balances.

Appendix one – Responses from councils and the Department of Planning, Industry and Environment

Appendix two – Advice from the Crown Solicitor

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #339 - released 17 August 2020