About this report 

The land titles registry is a collection of registers established under the Real Property Act 1900 and related legislation. It is the source of truth for land and property ownership in NSW and underpins significant economic activity.

The registry is owned by the NSW Government. From 1 July 2017, a private operator has operated and maintained the registry under a 35-year concession granted by the NSW Government.

The Office of the Registrar General is the regulator of the private operator’s activity under the concession. It is a business unit in the Department of Customer Service.

This audit examined the effectiveness of the regulator in overseeing and monitoring the operation and maintenance of the registry to ensure its integrity and security.

Conclusion

The Office of the Registrar General has implemented an effective system and supporting processes to oversee and monitor the integrity and security of the land titles registry.

However, the audit found opportunities for the Office of the Registrar General to improve how it conducts its regulatory functions.

Recommendations

The audit recommended that the Office of the Registrar General should:

1. develop and publish its approach to exercising its regulatory functions and powers
2. publish a regulatory charter to ensure greater regulatory transparency
3. review the skills and capabilities required to regulate the land titles registry
4. ensure greater clarity on the rights to use data, and the application of privacy legislation
5. ensure compliance with the NSW Cyber Security Policy, including the requirements relating to third parties
6. perform an audit of the subscriber compliance process.

The land titles registry is a collection of registers that record property-related information

The registers collectively referred to in this report as the ‘land titles registry’ include the:

• Torrens Title Register – the primary register for land held in NSW under the Real Property Act 1900
• Register of Plans – comprises plans, that is a representation of a property’s boundary, submitted for registration by registered surveyors
• General Register of Deeds – established under the Registration of Deeds Act 1825, this was the first land register in NSW recording deeds in the system used prior to the introduction of the Torrens Title System, and includes the register of Causes Writs and Orders, Bills of Sale, Register of Resumptions, Powers of Attorney and other miscellaneous deeds
• Central Register of Restrictions – where participating organisations maintain up to date information about possible, or actual, interests they hold against NSW properties (for example for heritage or infrastructure reasons).

The 35-year concession for a private company to operate and maintain the land titles registry

In April 2017, the NSW Government granted a 35-year concession² to a private operator to operate and maintain the titling and registry services business area of NSW Land and Property Information (LPI). The private operator paid the State $2.6 billion for the concession, as well as committed to pay $8 million (indexed) annually in consideration for the ORG to perform the regulatory and enabling functions contemplated by the concession deed.

The private operator has the right to generate revenue by selling land information products and services, including through search and subscription fees, as well as by charging administrative fees, such as for registering land titles and other transactions. Each year, the operator facilitates over four million searches on titles and images, records 900,000 updates to land title records and creates 50,000 new titles.

NSW Treasury managed the bidding process for the concession and prepared the enabling legislation, the Land and Property Information NSW (Authorised Transaction) Act 2016. The concession deed was executed between the Minister for Finance, the Registrar General and the successful bidder.

The successful bidder was Australian Registry Investments (ARI), which in turn established NSW Land Registry Services (NSW LRS or ‘the private operator’) as a private, single purpose company to operate and maintain the land titles registry. ARI is a consortium of institutional investors and superannuation funds, which at the time of this audit included Aware Super, Macquarie Infrastructure Fund and UTA Registry Investments Trust.

The NSW Government retains ownership of the land titles registry, including the information it contains.

The land titles registry is a critical information asset for NSW as it is the basis of private ownership of property, which in turn supports property-related economic activity. In 2016, it was estimated that the land titles system underpinned over $130 billion dollars of economic activity in NSW each year. As of 2023, the total value of land in NSW was approximately $2.8 trillion.

The land titles registry is a ‘crown jewel’ IT asset under the NSW Government Cyber Security Policy. The land and titling information maintained by the private operator is provided to other government departments and agencies, such as Revenue NSW, Spatial Services and the Valuer General.

A key assurance provided by the NSW Government when granting the concession was that the ORG would be responsible for the regulation of the performance of the private operator under the concession deed. The ORG is a business unit in the Fair Trading and Regulatory Services division of the Department of Customer Service (‘the department’). The Registrar General is a statutory position and has a range of responsibilities, including under the Real Property Act 1900. The establishment of an ‘office’ to support the Registrar General accompanied the granting of the concession in 2017.

The ORG is not a separate auditable entity under the Government Sector Audit Act 1983. As such, the auditee for this performance audit is formally the Department of Customer Service.

NSW Treasury is also an auditee as it managed the scoping study, bidding process, legislation development process and the development of the concession arrangements. NSW Treasury does not have an ongoing role in the routine oversight and monitoring of the land titles registry. The audit has made no recommendations for NSW Treasury and the agency has elected not to provide a formal response to the audit.

Objectives of the concession

The concession deed includes a statement of the Government’s objectives for the concession. These objectives include achieving the following:

a) maintaining the security, integrity, performance and availability of the registers, core assets and core services

b) ensuring the registers are accurate and up-to-date, including that they accurately reflect all registered documents, plans and other matters that are required to be recorded in them

c) maintaining the confidence of the affected parties and the NSW public in the registers and the core services

d) promoting improvements, innovation and increased efficiency, and utilising greater expertise and investment in technology, in the delivery of the core services

e) minimising Torrens Assurance Fund Payments and

f) protecting current competition and the opportunities for future competition in the supply of downstream services by ensuring fair, transparent, predictable and non-discriminatory dealing by the operator with customers and prospective customers.

The deed also includes the private operator’s acknowledgment and agreement that its achievement of these objectives is of critical importance to NSW.

Regulation of the land titles system, including under the concession deed

The ORG has described its role as ‘... a regulator, advisor and litigator, working to ensure the integrity of NSW’s land title system’. While the ORG directly regulates the private operator of the land titles registry under the concession deed (as well as in accordance with any applicable legislation and delegations made by the Registrar General), the system of land titles is a complex one, with many different participants. These participants include:

• ELNOs – which provide the means for transacting parties to collaborate electronically on the preparation of registry instruments; there are currently two ELNOs operating in NSW, although PEXA is by far the dominant market participant compared to its competitor, Sympli
• subscribers – a person or business authorised to complete electronic conveyancing transactions using an ELNO, such as financial institutions, solicitors and licensed conveyancers
• government agencies – selected NSW government agencies and local governments are authorised to obtain information from the system, including Revenue NSW, Valuation NSW, the Surveyor General and local councils
• registered surveyors – who are responsible for conducting survey plans of property boundaries and lodging those plans for registration with the private operator
• information brokers – there are 12 wholesale information brokers with which the private operator has entered into agreements under the concession deed to provide access to NSW titling information held by the private operator
• users of the Central Register of Restrictions – including selected NSW government agencies and non-government entities, such as utility companies providing electricity, water and gas and the Commonwealth Department of Defence.

The data flows within the system are complex and interdependent. Many of the participants are critical to maintaining the integrity and security of the land titles registry. Each class of participant has different governance arrangements and controls for their participation. As shown in Figure 1, the ORG regulates and oversees, to varying degrees, this system of multi-layered rules, relationships and arrangements, with the concession deed between the NSW Government and private operator being at the core of the system.

In granting the concession, the government committed to a ‘robust regulatory regime’ and a ‘tight regulatory framework’ overseen by a ‘strong regulator’

In granting the 35-year concession to the private operator, the NSW Government committed to ensuring that the monopoly functions of providing titling and registry services would be ‘appropriately regulated’.

In commencing the process of granting the concession, the NSW Government set out what it described as a ‘robust regulatory regime’ that would apply to the concession. Of particular relevance to this audit, the government also established that:

• the Registrar General would monitor and enforce the operator’s compliance with regulatory requirements, including the terms of the concession deed
• the Registrar General would have a general power to direct the private operator to perform tasks ‘… in the public interest’.

In the September 2016 second reading speech accompanying the passage of the enabling legislation for the concession through NSW Parliament, the then Treasurer further highlighted that:

• the service standards defined in the concession would include ‘… a penalty regime should the private operator fail to comply’
• the Registrar General would have regulatory oversight of ensuring that the private operator adopted ‘appropriate data security and fraud detection practices’.

The second reading speech also highlighted the role of the Registrar General in overseeing how other participants in the land titling and registry system should perform. This included approving the standard terms on which the concession holder is to deal with its wholesale customers and intermediaries (including ‘subscribers’ to the operator’s services, such as banks, conveyancers and solicitors).

In January 2017, the then Registrar General explained his view that the arrangements for the concession would ensure that the ORG would be able to provide an ‘… independent, credible, stable and well mandated regulatory framework [that] will give confidence to customers and the business itself’. He further explained that:

On 6 April 2017, the then Registrar General further said that his office would follow a ‘modern regulatory approach’, which would include a ‘… focus on material things – where an operator’s actions are not in the spirit of the deed’s objectives’. The audit did not find evidence of how the ORG assesses deviation from the ‘spirit of the deed’s objectives’.

On 12 April 2017, the Premier and the Treasurer jointly announced the successful bidder for the concession. In doing so, their media release drew attention to the:

• ‘tight regulatory framework’
• ‘rigorous legislative and contractual safeguards around the concession to ensure the continued security of property rights and data’
• establishment of a ‘… new external regulator – the Registrar General – to enforce [the operator’s] performance during the concession, with power to monitor and audit performance, and even resume control of the LPI business if required’.

The Registrar General was not a newly established statutory position, although the role was provided with new regulatory functions and powers under the concession deed.

The task of overseeing and monitoring a private company operating and maintaining a monopoly service that uses government-owned systems (and where title is government-guaranteed) poses new and complex challenges for a regulator like the ORG, which previously performed stable and mature administrative and regulatory functions.

The ORG has made only limited use of the compliance and enforcement tools available to it under the concession deed

Seven years into the concession, the ORG is still in the relatively formative stages of settling its approach to the use of its regulatory powers under the concession deed.

The ORG has an experienced and highly qualified workforce, with substantial capability in areas such as property law, as well as a directorate focused on cadastral integrity. It has substantial capacity to administer its longstanding and relatively wide-ranging pre-concession responsibilities. This includes actioning matters under the Torrens Assurance Fund, conducting compliance audits of property plans prepared by registered surveyors and providing advice to government on relevant policy and reform.

In comparison to these longstanding, well-organised and well-understood responsibilities outlined above, the ORG is still forming its approach to exercising the full spectrum of its compliance and enforcement powers under the regulator–operator model. In some instances, this has limited its effectiveness in resolving regulatory issues raised later in this report.

The ORG has eight regulatory compliance and enforcement options available to it under the concession deed and the enabling legislation. The options are listed below, ranked according to their seriousness and frequency, with step-in and termination powers being both the most serious and least likely option to be applied:

• raise issues at governance forums
• informal letters escalating to formal letters
• approvals with conditions attached
• audit and review powers
• financial penalties for breach of service levels
• reserve power directions
• corrective action plans
• step-in and termination powers.

These options can be specific to circumstances and not all are available for all matters. For example, the ORG does have not a broad-based power to issue financial penalties for performance gaps except where specified in the concession deed.

Since the commencement of the concession, most issues with the private operator’s performance have been addressed without escalation beyond the exchange of formal letters. However, this approach has not always led to adequate or timely resolution.

A number of longstanding issues have been raised by the ORG regarding plan examination and subscriber compliance audits, as set out in section 5 of this report. Despite their significant importance to the integrity of the land titles registry and the potential for errors with financial and personal impacts on customers, these matters have not generally been escalated beyond discussions or letters.

The ORG does not have a formalised approach to how it will routinely and effectively exercise its compliance and enforcement functions and powers

The audit assessed whether the ORG has a clear statement of its regulatory posture or its approach to regulation on which to base its regulatory decision making. In its ‘Regulation insights’ report (March 2024), the Audit Office of NSW highlighted that regulators need clear escalation thresholds and enforcement policies to promote credible and proportionate regulatory actions. The concession deed sets out that the materiality of service level breaches is determined based on the operator’s culpability, the impact on the customer and whether the breach has occurred previously.

The ORG lacks a clear approach to how it would effectively exercise the regulatory tools available to it under the concession, such as:

• requiring ad hoc reports that are prepared in a timely manner and to an adequate standard
• issuing penalties for non-compliance
• conducting its own audits
• conducting a major review of the concession (the prospect of which was raised by the ORG with the private operator in 2022 but has not proceeded).

This is despite assurances (as described earlier) from the NSW Government at the commencement of the concession that these tools would be available and used by the regulator.

In September 2023, the ORG developed an initial approach to the use of concession deed levers to provide a ‘practical and proportionate approach’ to exercising its monitoring and oversight functions for the concession. However, neither these principles, nor any alternative, have been drawn upon to inform a codified regulatory or enforcement policy. The ORG advised that it is developing an approach to escalating matters through the hierarchy of available regulatory and enforcement tools.

The ORG is spending less on its regulatory functions than the fee paid by the private operator to support those functions

Under the concession, the private operator provides an annual indexed fee to fund the services delivered by the regulator. The concession deed says that this fee is paid ‘… in consideration for the [Registrar General] performing the regulatory and enabling functions contemplated by this Deed’.

In 2017–18, $8 million was allocated in the NSW Budget ‘… to be spent on regulating the operator of the NSW land title and registry system, ensuring its security and stability while enhancing service levels’.

In 2023–24, the department requested from NSW Treasury a budget of $8.26 million for the ORG, ($260,000 more than the 2017–18 allocation). This was also around 25% less than the mandatory fee paid by the private operator under the concession deed, which was $10.49 million. The balance of the fee paid by the private operator is retained by the NSW Government in the Consolidated Fund for general purposes.

The ORG undertakes a range of policy and reform projects that it tracks separately from its ‘business as usual’ activities. Not all these projects were envisaged when the concession was granted. For example, the interoperability project to support the introduction of national competition in the electronic lodgment network (ELN) is a substantial and complex national reform that has been led by the ORG on behalf of NSW.

NSW’s contribution to this project-based work is undertaken effectively within the same budget parameters and staffing as established when the concession was granted. At the time of the audit, the ORG’s project workplan includes 32 distinct projects, with one additional recent project being reclassified as ‘business as usual’ and two previous projects put on hold. The project plan includes activities relating to significant government reforms such as interoperability and digital survey plans reform, as well as matters that are regulatory in nature or which support regulatory priorities.

The audit heard from some stakeholders that the ORG’s focus on project-based work, including government reform initiatives, risks reducing resources available for its functions to monitor and oversee participants in the land titles registry system to the degree anticipated by government when the concession was granted.

As discussed in sections 6 and 9 of this report, this audit found that the ORG has capability and capacity gaps in specialist skills, particularly in strategic IT and regulatory policy and implementation. It is beyond the scope of this audit to consider whether these gaps could be addressed within the existing funding or whether the ORG required a revised budget that more closely aligns with the fee paid by the private operator.

The complexity of the land titles system limits the extent to which the ORG can oversee potential integrity and security risks on a whole of system basis

The ORG has varying approaches, powers and functions to regulate different participants in the land titles system, the complexity of which is increased by various third-party users and reseller arrangements that apply to land titles data. As discussed later, this complexity limits the ORG’s direct monitoring and oversight of potential risks or non-performance by system participants other than the private operator.

Table 1 provides further information on the regulatory arrangements for stakeholders accessing and informing the land titles registry.

Source: Audit Office analysis.

The ORG does not have a longer-term strategic plan for proactive compliance activities

Since December 2018, the ORG has issued the private operator an annual letter setting out ‘joint priorities’ for the forward year. While each letter is signed and issued by the Registrar General, the private operator has the opportunity to comment on proposed ‘joint’ priorities.

The annual priority letters are not issued under the terms of the concession deed and are statements of the regulator’s expectations, rather than binding obligations on the operator. The priorities are derived primarily from internal staff consultation, but also consider external stakeholders, existing or emerging reform topics, and progress achieved in meeting previous priorities. While the letters set out annual priorities, they are also intended to ‘… track progress on long-term objectives’.

These annual priority letters are effective in demonstrating a considered approach to articulating the regulator’s expectations of the private operator for that period. The ORG sets out specific ‘success measures’ (usually in the form of milestone progress or completion dates) for how priorities will be assessed.

The priorities set out in the annual letters are subsequently discussed and tracked at various governance meetings, as required under the concession deed. However, there have been few consequences if the private operator does not meet its priorities. Over the course of the concession, a number of reoccurring priorities point to intractable issues, about which the ORG has been dissatisfied. This has included matters that go directly to the integrity of the registers, such as the examination of submitted plans and subscriber compliance (particularly as assessed by the subscriber compliance examination process).

Until recently, the ORG did not include its own annual priorities in these letters. Rather, yearly priority letters to the private operator referenced government or joint priorities. In comparison, the most recent priority letter for 2025 provided a clearer articulation of the rationale between the annual priorities and the intended outcomes of the concession deed. The audit did not source evidence that the ORG set longer-term or strategic priorities for how it will proactively exercise its regulatory functions, such as a forward program of compliance activity, ad hoc reviews or audits.

The ORG ensures that the private operator meets its obligations to provide service level performance reporting

The concession deed provides for extensive performance reporting by the private operator against defined service levels or KPIs. While government statements at the commencement of the concession suggested there were 55 KPIs, this is inaccurate as it includes numerous sub-measures. Currently, 14 service level KPIs are reported quarterly on the ORG’s website. The publishing of service level performance has been explained by the ORG as bringing ‘… a new level of transparency to the NSW’s land titles registry’ to better hold to account the private operator and be a feature of the new regulator–operator model.

The private operator exceeded all published services for each of 24 consecutive quarters from the start of the concession until January–March 2024. This may suggest that the existing published service levels are not sufficiently challenging to support continuous improvement in the future. In addition, as discussed below, not all service level KPIs are published.

The ORG has proposed a review of service levels to identify those no longer relevant. This considers the substantial reforms to the land titles registry system have occurred since the concession commenced, including the move to 100% electronic conveyancing. Stakeholders also expressed a view to the audit that the existing published service levels are too focused on time measures, and do not sufficiently address quality and client satisfaction. It was also understood between the regulator and private operator early in the concession that ‘… as we move forward, customer behaviour will change, along with what is important to customers’.

The ORG has granted penalty relief for service level breaches, although there has been no public transparency about these decisions

There have been instances where the ORG has elected not to issue financial penalties where the private operator breached required service levels. While this discretion is a matter for the regulator to exercise, public transparency is lacking as to the underlying breach or the penalty decision. Service levels not achieved are not included among those published on the ORG’s website.

For example, from October 2020 to September 2023, the ORG granted penalty relief for 33 breaches of the private operator’s obligation to ensure specific data feeds to NSW Government agencies and local councils occurred within specified timeframes.³ A series of data feed failures in a legacy IT system was the catalyst for the private operator’s failure to meet the service level. The audit notes that the private operator’s interpretation of the relevant service level varied from the ORG’s interpretation, and suggested a smaller number of breaches than the 33 assessed by the regulator.

This penalty relief was initially granted in October 2020, then extended in May 2022 until September 2023. The ORG granted the penalty relief:

• in recognition of the private operator’s commitment to upgrade the legacy IT system causing the data feed failures
• because the ORG considered the impact on affected customers to be negligible.

As early as December 2019, the ORG had identified to the private operator that upgrading the legacy IT system was a priority. In August 2020, the ORG described the upgrade as ‘… critical to ensure accurate and complete data is provided to customers’ and asked the private operator to ensure that it is completed ‘… without further delay’.

The ORG did not extend its penalty relief beyond 30 September 2023. No breaches were reported to have occurred after this time. The upgrade to the legacy IT system is expected to be completed no earlier than January 2025.

The service level that was not met on up to 33 occasions is not included among the 14 service levels reported publicly on the ORG’s website. There was no public transparency about the operator’s non-compliance, or the ORG’s decision to provide penalty relief to the operator. The ORG did not publish a notice that it had afforded penalty relief to the operator, nor was this mentioned in the department’s annual report. The ORG’s view is that publication of these service level breaches was not required as they only affected government agencies.

This audit has not assessed the merits of the ORG’s evaluation of the service level breaches or its decision to extend penalty relief for non-compliance. The concession deed allows the ORG to make these types of decisions. However, when the concession commenced, the NSW Government stated that a consumer benefit of the concession would be ‘increased transparency’ due to the regulator being able to:

Prior to the concession, it was already the Registrar General’s practice to publish statistics about claims and payments under the Torrens Assurance Fund in the department’s annual reports. Since the concession, the only opportunity for increased transparency is through reporting on service levels and breaches, including about how the ORG responds to breaches, such as by extending penalty relief over extended periods of time.

When the concession commenced, the NSW Government also highlighted that, as the regulator, the ORG would have a range of regulatory options including ‘… a penalty regime should the private operator fail to comply’. The community and stakeholders were not told that the ORG could choose to waive penalties in response to breaches. Nor were the community and stakeholders told the circumstances in which such relief might be extended. This underscores the importance of the ORG being publicly transparent when it makes these decisions, including to explain their justification, so as to ensure that community trust and confidence in the regulator is maintained.

The ORG’s monitoring and oversight of how the private operator manages legacy IT systems is discussed further in section 6.

The detailed terms of the concession are not publicly available and there is a statutory presumption against their disclosure under the Government Information (Public Access) Act 2009

Much of the substantive detail about the regulatory requirements for granting the concession is contained in the concession deed document that was executed between the NSW Government and the private operator. This document is not public. Moreover, the enabling legislation for the concession included an amendment to the Government Information (Public Access) Act 2009. This amendment established that it is to be conclusively presumed that there is an overriding public interest against disclosure of information contained in any document ‒ including the concession deed ‒ prepared for the purposes of, or in connection with, the authorised transaction unless approved by the NSW Treasurer. NSW Treasury was not able to provide an explicit reason why this provision was included in the enabling legislation, other than to note that a similar provision was included in the 2015 electricity network transaction enabling legislation.

Key elements of the concession deed were modelled on the arrangements for the franchising of the Sydney ferries service, including:

• the model for service levels and penalties
• the transfer of administrative powers and functions to the operator
• the approach of adopting minimalist legislation supported by a detailed contract.

This framework is also similar to that adopted for the Greater Sydney Bus Contract. Both contracts (ferries and buses) are publicly available on Transport for NSW’s website (with redactions where necessary to maintain commercial confidentiality).

During consultation on the enabling legislation for the concession, external stakeholders noted that the delegation of key provisions to a confidential document detracts from promoting transparency and community confidence in the regulatory arrangements for the concession.

The ORG has not published a ‘regulatory charter’ as provided for under the concession deed

Clause 29.1(b) of the concession deed provides that the ORG may publish a ‘regulatory charter’ that contains:

• the division of responsibilities between the ORG and the private operator
• ring fencing and non-discrimination requirements
• dispute resolution processes
• the ORG’s rights in relation to reserve power directions
• the ‘customer terms’
• obligations in respect of ELNOs
• complaint handling arrangements.

The ORG has not published a regulatory charter, although some of the content envisaged by clause 29.1(b) is available across the ORG’s website. For example, the ORG’s website provides information about how individuals may apply to have a decision of the private operator reviewed by the ORG.

The ORG reviews an annual customer satisfaction survey conducted by the private operator, which has reported increased rates of satisfaction over the term of the concession

Regarding other measures of performance, the concession deed requires the private operator to conduct an annual customer satisfaction survey. The private operator has reported to the ORG improved levels of customer satisfaction with its services. While the audit has not assessed the survey data, the private operator has reported in its most recent survey that 71% of respondents were satisfied, up from around 50% at the start of the concession. Over the duration of the concession to date, these surveys have been run both internally by the private operator, and more recently by an external survey provider commissioned by the operator.

The private operator is also required to submit at regular intervals (annually or up to 18 months) updates to its technology roadmap and business plan. These documents are assessed by relevant subject matter experts within the ORG or the wider department and feedback is provided to the private operator on their adequacy. For example, a range of annual reporting requirements for FY23 relating to fraud and crime prevention, error reports, business continuity and incident management, and the technology roadmap were provided to Department of Customer Service IT for review.

The ORG has implemented an effective governance structure to support its regulation of the land titles registry system

The ORG has implemented a series of forums with the private operator to discuss strategic and operational matters. As required by the concession deed, these are:

• a Joint Consultation Committee (JCC)
• an Operations and Performance Committee (OPC)
• an Information Technology sub-committee (ITC).

The concession deed specifies that this governance framework is intended to:

• guide and monitor the performance of the concession
• oversee compliance with specified service levels
• resolve issues as required
• establish a framework to maintain an effective relationship between key personnel of the ORG and the operator.

These committees have clear terms of reference, which have been subject to review. The ORG has demonstrated, through meeting papers and minutes, that these committees meet regularly, consider substantive matters as envisaged by the concession deed, and are effectively administered and recorded.

The ORG has also established a stakeholder forum that includes senior representatives of key stakeholder groups. This forum is intended to foster multilateral communication between the regulator, operator and stakeholders. Some stakeholders expressed the view to the audit that the focus of this forum has evolved to facilitate feedback and updates from the regulator and operator, rather than provide opportunities for industry stakeholders to ask questions or raise issues. Notwithstanding, the ORG did provide evidence that issues raised by stakeholders at this forum were subsequently escalated to JCC or OPC meetings.

The ORG also has a series of bilateral regular engagements with key stakeholders, as well as specialist or project based working groups with the private operator and other system participants.

The ORG appropriately manages potential conflicts of interest

The ORG has recognised that the separation of the former Land and Property Information unit of the Department of Customer Service into separate regulator and operator entities meant that staff working in each entity may have close pre-existing professional and personal relationships. This heightens the need to identify and manage potential conflicts of interest to ensure credible and transparent regulation.

The ORG manages conflicts of interest by following applicable department policies. The audit reviewed conflict of interest declarations made by all ORG managers at NSW public service clerk levels 11/12 and above for the past three years. The audit found that declarations had been submitted and any conflicts addressed.
 

³ The breaches were of the ‘Core Data for Government Agencies Service Level’, which measures the number and availability of Core Data supplied to certain Government agencies that the operator successfully provides within required timeframes and hours of availability.

The land titles registry system is multi-party, with different powers and tools available to the ORG for each party. In summary, the ORG can address non-performance to varying degrees over:

• the private operator, through the multi-tiered framework described under section one of this report
• the ELNOs, which may be subject to suspension or termination (neither of which are practical options if the system is to function), as well as compliance examinations, remedial directions and application to the NSW Supreme Court for financial penalties
• authorised subscribers, who may have their access to the ELN suspended or cancelled (this regime is currently under review to broaden the Registrar General’s enforcement options)
• registered surveyors, who may be referred to the Board of Surveying and Spatial Information (BOSSI) for professional disciplinary action.

The number of claims and the total annual payments under the Torrens Assurance Fund have declined since 2014–15

The Torrens Assurance Fund (TAF) is a statutory compensation scheme designed to compensate people who, through no fault of their own, suffer loss or damage as a result of the operation of the Real Property Act 1900. This loss or damage can be a result of an error, misdescription or omission in the register. When granting the concession to the private operator, the government gave the assurance that the TAF would continue to operate and be administered by the ORG. The ORG has a longstanding function to receive and determine claims made under the TAF.

Relative to the number and value of matters addressed by the land titles system, the number of claims and total payments paid under the TAF is relatively small. As shown in Figure 2, between 2014–15 and 2022–23, the number of claims varied between seven and 40, while the payments paid under the TAF varied between $93,032.21 and $3,168,143.

This audit has focused on two primary processes when considering how the ORG obtains reasonable assurance about the quality of information held on the registers maintained by the private operator. These are:

• the examination and registration of plans by the private operator
• the registration of dealings by the private operator.

The concession deed requires that the private operator, in undertaking these functions, must, among other things, act in good faith, as well as act reasonably and on reasonable grounds. In each case, plans and documents must be entered promptly and accurately onto the relevant register.

These two processes and their role in supporting the integrity of the land titles registry are discussed in turn below.

The land titles registry is one of the department’s IT ‘crown jewels’

As the principal department for the ORG, the Department of Customer Service has identified the IT system supporting the land titles registry as a ‘crown jewel’ under the NSW Government Cyber Security Policy. Classification as a crown jewel provides the land titles registry with priority within the department when investment, fixes, patching and resource allocation are considered.

The ORG receives dedicated cyber security support from the department’s Office of the Chief Information Security Officer in the form of an identified business support officer. During the audit there did not appear to be a similar dedicated resource from the department’s general ICT division. The ORG has stated that the lack of dedicated support in this area risks that ‘institutional technology expertise is not built up or retained within Government to effectively monitor the [operator’s] management of this asset’.

However, from October 2024, DCS ICT has provided the ORG with a dedicated business partner who attends monthly meetings to discuss ICT matters and attends ICT Committee meetings on an as-needed basis.

While the IT system supporting the land titles registry is a critical IT asset, it is unclear how roles and responsibility are assigned for ensuring compliance with the NSW Government Cyber Security Policy

The NSW Cyber Security Policy provides guidance and mandatory requirements for agencies relating to cyber security. The ORG could not clarify whether it, or the department more widely, is responsible for ensuring compliance with the NSW Cyber Security Policy, as well as the role expected by the private operator. This creates a potential risk that protections contained in the policy will not be extended to the land titles registry and that there may be gaps in accountability.

The 2023–24 version of the policy contains three requirements relating specifically to crown jewels:

• agencies to identify and document external upstream and downstream dependencies of enterprise ICT (including cloud), operational technology and Internet of Things assets (specific requirement 1.6.4)
• agencies must assess and identify crown jewels and classify systems (mandatory requirement 1.7)
• agencies must conduct periodic reconciliation of data assets against data retention requirements (specific requirement 1.8.2).

The department appears to have complied with mandatory requirement 1.7, in that it has identified the land titles registry as a crown jewel. However, it explained that it did not have visibility or control over the upstream and downstream systems used by the private operator. Accordingly, to the extent that it may be responsible, the department acknowledged that it does not comply with specific requirement 1.6.4. While it was not specifically examined, the audit did not receive any evidence that the department complied with specific requirement 1.8.2.

While the department is not fully compliant with the requirements of the NSW Cyber Security Policy, its view is that:

• the concession deed requires the private operator to maintain technical and organisational measures that are no less rigorous than those that applied prior to the concession
• the cyber security measures taken surpass those that would apply under Department of Customer Service policies
• the regulator retains oversight of the private operator’s compliance with its requirements under the concession.

Notwithstanding these assurances, neither the department, nor the ORG itself, provided any evidence demonstrating that the protections provided by the private operator have been reconciled against all the requirements of the NSW Cyber Security Policy, including the specific clauses that apply to crown jewels. As discussed below, neither the department nor the ORG have considered the implications of the private operator being deemed a ‘third-party service provider’ under the NSW Cyber Security Policy.

The NSW Cyber Security Policy allows that not all its requirements must be uniformly implemented across the agency. However, where an agency seeks an exception to the policy, it should ensure that the exception is ‘… documented and approved by an appropriate authority through a formal process’. The ORG did not provide evidence that any exception to the requirements of the Cyber Security Policy (such as non-compliance with specific requirement 1.6.4) had been documented and approved.

The ORG has determined that the private operator is a third-party service provider under the NSW Cyber Security Policy, although the implications of this have not been fully examined by the ORG or the department

During this audit, in November 2024, the ORG obtained advice from Cyber Security NSW that the private operator is a ‘third-party service provider’ under the NSW Cyber Security Policy. The policy has a number of specific requirements relating to third-parties.

Mandatory requirement 1.10 of the NSW Cyber Security Policy requires agencies to ‘identify and manage third-party service provider risks, including shared ICT services supplied by other NSW Government agencies’.

Section 6.12 of the Cyber Security Policy provides agencies with guidance on their responsibilities for managing the cyber security requirements and risks posed by third-party providers to assist agencies implement mandatory requirement 1.10. This section includes responsibilities such as:

• ensuring third-party risks are considered in enterprise risk management processes
• conducting regular management of third-party risks through ongoing risk-based reviews to verify compliance with contractual agreements and security measures.

The designation of the operator as a third-party service provider to the ORG is a recent classification and the implications of this have not been fully considered by the ORG or the department.

The ORG has ensured that cyber security obligations are included in the private operator’s arrangements with its own contractors

The audit also considered what assurance the department or the ORG has obtained regarding the adequacy of cyber security provided by contractors to the private operator. Clause 39 of the concession deed establishes that:

• the private operator must ensure that its third-party service providers and subcontractors comply with all terms of the deed relevant to the operator’s obligations, including to maintain adequate cyber security
• the private operator is liable for all acts and omissions of its subcontractors.

The ORG and the private operator have agreed to a process whereby the latter notifies the regulator when new subcontractors are engaged and provides assurance that subcontractors comply with the requirements of clause 39.

The ORG has also approved a table of clauses that must be included in any subcontracting agreements that the private operator makes with its own third parties. These clauses include obligations for adequate cyber security.

The ORG has ensured security testing is conducted on the core systems and services of the land titles registry

The concession deed imposes requirements on the private operator relating to the security of the land titles registry, including that the private operator must:

• ‘… establish, maintain, enforce and continuously improve reasonable technical and organisational measures’ across a range of specific areas aimed at protecting data and preventing unauthorised access and use
• maintain technical and organisational measures that are no less rigorous than those the land registry was subject to prior to the concession
• engage in third-party audits in relation to its compliance with the applicable information security standard (ISO 27001), and provide these reports to the ORG.

The ORG has relied on subject matter expert advice from within the wider department to determine that the private operator is satisfying these requirements, including by providing third-party certification of its compliance with ISO 27001. The ORG provided evidence of this certification.

Clause 25.1 of the concession deed requires that the private operator must, to the extent reasonably requested by the ORG, test and evaluate the performance of core systems and services, which may include security testing such as ‘… vulnerability testing, penetration testing, manual configuration tests and reviews, self-assurance testing and other vulnerability and threat assessment testing’. This testing and evaluation has included assessment of the operator’s controls relevant to the System and Organisation Control 2 (SOC 2) Security and Availability Trust Services Criteria.

The ORG has ensured that the private operator has completed ISO2001 certification and has conducted SOC 2 assessments. Relevant materials are reviewed by subject matter experts from both the ORG and broader department and discussed at ITC meetings. This audit reviewed a sample of SOC 2 documents and found no significant weaknesses.

Consistent with clause 25.1 of the concession deed, the ORG has also required the private operator to conduct a program of penetration tests on its systems. Penetration testing is a useful mechanism for assessing the potential vulnerabilities of an IT system. However, penetration testing does not offer assurance of the security of a system. Reasonable assurance can only be derived by the effectiveness of security controls, including those implemented to address any vulnerabilities identified by penetration testing.

The ORG assesses and monitors how the private operator responds to vulnerabilities identified by its penetration testing program. The ORG reviewed test reports and discussed these with the private operator during ITC meetings. However, the effectiveness of this monitoring has been hampered by the ORG’s lack of a central registry of issues or vulnerabilities. This limits the ability of the regulator to easily monitor trends and risks or review historic issues.

The concession deed does not specify minimum acceptable standards for the conduct of penetration testing or other forms of system test. Moreover, it is the private operator that is responsible for conducting the testing. When the ORG reviews the results of the operator’s security testing, it also has the opportunity to assess the adequacy of the design and conduct of the tests (including to ensure that the scope and timing of each test provides adequate assurance that vulnerabilities have been identified).

However, as security testing is a requirement of the concession deed, the ORG – as the regulator and consistent with regulatory good practice – should be clear about its expectations for what constitutes appropriately rigorous test methods. These expectations should be effectively and proactively communicated to the private operator, and not left to be raised in retrospective review comments.

The ORG has become increasingly focused on potential risks posed by aging legacy IT systems and how any risks should be mitigated

When granting the concession, the NSW Government’s stated expectation was that the private sector would ‘… have strong incentives to invest in new technology, resulting in significant improvements to the system, and benefits for consumers’. There was an expectation at the outset of the transaction that the successful bidder would, at some time, ‘refresh’ the existing legacy IT systems on which the land titles system operates. While unspecific at the time, a system refresh could include either upgrade or replacement.

However, it was not clear in the bidding documents exactly when and how a successful bidder would be required to address the risks from legacy IT systems. The Information Memorandum provided by NSW Treasury to potential bidders noted that the expected response of the successful bidder:

Commitments to replace legacy systems were included in the private operator’s business plan and technology roadmap submitted as part of its bid, with the business plan committing to the ‘decommissioning of legacy systems by the end of 2019’.

The private operator has ‘de-risked’ some parts of the legacy environment, including the Historical Land Records Viewer and its website, and is currently working (albeit to a delayed schedule) to upgrade a key system, the Integrated Property Warehouse (IPW). However, the replacement of legacy systems ITS (Integrated Titling System) and DIIMS (Document and Integrated Imaging Management System) was removed from the operator’s 2023–24 technology roadmap. An external strategic technology review commissioned by the ORG in 2023 recommended to the regulator that the operator should be asked to re-include this work in future roadmaps. This was so that a ‘complete risk assessment and project complexity, cost and delivery schedule’ could be understood.

While the matter had been raised previously, it appears that since 2023, the ORG has become increasingly concerned about the private operator’s management of legacy IT systems. The ORG has noted that the private operator has not conducted discovery work or risk assessments on these systems. In 2023, the ORG assessed the removal of ITS discovery work from the 2023–24 technology roadmap as ‘highly concerning’ and noted that it would, in response, ‘… consider the full range of levers under the Concession Deed’.

In July 2024, after considering an ‘escalated regulatory response’ to the operator’s perceived reluctance to conduct its own risk assessment, the ORG determined to initiate its own risk-based review of the longevity of the legacy core systems in conjunction with Department of Customer Service ICT personnel.

This performance audit has not assessed the risks posed by legacy IT systems and notes that such questions can raise complex technical issues. It is not necessarily the case that a legacy system is inherently insecure and there is evidence that the private operator has conducted work to insulate the core legacy systems from potential risks. Accordingly, the audit has made no finding about any level of risk posed by the legacy systems underpinning the land titles registry.

The approach taken by the ORG from July 2024 seems consistent with guidance published by the Australian Signals Directorate and the Australian Cyber Security Centre. This guidance highlights the need for agencies to implement a sound strategy to manage legacy IT, starting with developing an understanding of the business and security risks posed by such systems.

The ORG has recognised the importance of privacy to retaining confidence in the land titles system and actively addresses privacy issues with the private operator

The registers operated and maintained under the concession deed are public registers. That is, they can be accessed by anyone (in some circumstances, after the payment of a fee). While there are public interest reasons for this information to be publicly available, public registers can create a tension with individual privacy, where the information held in a register is personal identifiable information about an individual.

This tension can be exacerbated when it is compulsory to record information in a public register, thereby reducing the individual’s choice and control over their personal information. In some circumstances, it has been found that community concerns are exacerbated where public registers are operated and maintained by the private sector, for example, when the UK Government considered privatising its land titles registry.

In its privacy policy, the private operator of the NSW land titles system explains that the personal information that it may collect can include:

• name, address, age or date of birth, contact details
• information collected in connection with maintaining the various registers, including information about an individual’s property dealings, such as transfer and leasehold documents
• information related to the operator’s products or services, such as credit card or bank account details
• verification of identity information, such as passport information, rates notices, Medicare card details and drivers licence details.

In recognition of the privacy risks inherent to public registers, and the potential volume of personal information collected, privacy issues are recognised and discussed between the ORG and the private operator, including at JCC meetings between the Registrar General and the chief executive officer of the private operator.

For example, the ORG recognised a potential privacy risk in how the private operator was collecting information for its subscriber compliance audit process. This resulted in the ORG requiring the private operator to put in place a more secure method for collecting this information. Similarly, the private operator itself identified a potential privacy issue regarding the length of time it retained personal information for the same process.

As discussed below, privacy is also considered by the ORG in regard to new non-core service proposals from the private operator.

New services proposed by the private operator are subject to approval by the Registrar General and have been subject to privacy impact assessments

Privacy risks inherent to public registers can become greater where there are pressures to use that information for purposes unrelated to the original purpose of the public register (‘function creep’).

It was explicit in the NSW Government’s announcement regarding the granting of the concession that it was expected, not just permitted, that the private operator would identify, develop and deliver additional services using information collected for the purposes of the registry, while ensuring appropriate recognition of potential privacy concerns.

The concession deed has a mechanism requiring ORG approval of proposed new ‘non-core services’ by the operator. Since the concession was made, there have been four additional non-core services approved. These have each been accompanied by a privacy impact assessment prepared by the private operator and at the instigation of the operator. The ORG does not have standards for an acceptable privacy impact assessment other than the assessment should be prepared by a ‘reputable organisation’. Guidance published by the NSW Privacy Commissioner is that, where possible, privacy impact assessments should be published, which has not been the case for those assessed by the ORG (although commercial and competition issues around potential new information products could offer a justification for not publishing).

The audit assessed a sample of privacy impact assessments submitted to the ORG by the private operator. Consistent with the NSW Privacy Commissioner’s guidance, the assessments were found to be fit for purpose, in that their size and scope appeared consistent with the inherent assessed risk. The same guidance highlights that privacy impact assessments should be more than just compliance checks. This good practice advice is similar to that published by the Australian Office of the Information Commissioner.

The ORG has developed a template for assessing new non-core services. The template requires ORG staff to consider a range of issues, including privacy, when new non-core services are proposed by the private operator.

The ORG has limited visibility of how effectively other system participants ensure privacy of personal information

The ORG maintains a regulatory role over the operator. However, there are numerous other system participants who could adversely impact the integrity and security of the registry, including by impacting the privacy of personal information (whether deliberately or incidentally). The extent of the ORG’s regulatory oversight and powers varies according to the type of system participant.

For example, the ORG has powers under the concession deed to regulate the private operator directly, although it relies on the private operator to conduct compliance activities for subscribers. Its range of regulatory enforcement options also vary between system participants. Similarly, the concession deed provides for the ORG to issue penalties against the private operator, although not against subscribers or surveyors for non-compliance with their respective obligations.

In December 2018, the then Registrar General nominated a ‘joint comprehensive review of all potential privacy risks to LRS’ as a priority for the coming year to be completed by December 2019. By July 2019, minutes of the JCC record this priority as ‘deferred’. Subsequently, a comprehensive review of privacy risks has not been conducted. Such a review may assist in better understanding any potential system-wide privacy risks to the land titles system.

The ORG and NSW Treasury offered strong public assurance at the start of the concession that statutory privacy protections would apply to the land titles registry

The handling of personal information by NSW Government agencies is regulated by the Privacy and Personal Information Protection Act 1988 (PPIP Act). As well as setting out privacy principles with which NSW government agencies are required to comply, the PPIP Act also provides a statutory right for individuals to take complaints about the handling of their personal information to the NSW Privacy Commissioner, who may make binding decisions on agencies. The PPIP Act does not generally extend to private sector companies.

While NSW government agencies are covered by the PPIP Act, most private sector companies in Australia (as well as most Commonwealth government agencies) are covered by the Commonwealth Privacy Act 1988 (Privacy Act). The Privacy Act contains similar protections to the PPIP Act, although the regulator and dispute handler is the Australian Privacy Commissioner. Unlike the NSW Privacy Commissioner, the Australian Privacy Commissioner may make an enforceable determination requiring that a complainant be paid compensation for financial or non-financial loss. Section 39 of the enabling legislation for the transaction that underpinned the concession established that:

This was made clear in the second reading speech to the bill for the enabling legislation, which stated that the PPIP Act ‘… applies to the private operator as if it were a public sector agency in the same way that it currently applies to LPI titling and registry Services’.

In April 2017, NSW Treasury published a fact sheet offering ‘consumer assurance’ that:

Similarly, in March and April 2017, the then Registrar General made public presentations highlighting that the private operator was subject to statutory privacy obligations:

Accordingly, there appears to have been clear intention to offer assurance to the community that statutory privacy protections would apply to the land titles registry once the concession was made.

The ORG has not obtained assurance whether the private operator is covered by the Commonwealth Privacy Act

Despite the strong public assurances outlined above, there was uncertainty when the concession was granted about whether and how the Commonwealth Privacy Act applied to the operator.

As outlined above, the Commonwealth Privacy Act does not cover NSW government agencies. While it does generally cover private sector businesses (such as the private operator), there is an exemption for private sector contract service providers to NSW Government agencies for the purpose of providing services under their contract. Specifically, s. 7B(5) provides that the ‘acts or practices’ of private sector organisation are exempt where:

• the organisation is a contracted service provider for a state contract
• the act is done, or the practice is engaged in for the purposes of meeting (directly or indirectly) an obligation under the contract.

This was recognised in an information memorandum provided to bidders during the bid process for the concession. The information memorandum explained that the successful bidder may be subject to the Commonwealth Privacy Act, including to the exemption available ‘… as a provider of services to State Government’. The information memorandum concluded that ‘Compliance with the Commonwealth Privacy Act will be a matter for the private operator to assess’.

Accordingly, notwithstanding the confidence inherent in government public statements around the time that the concession was made, it appears unclear whether (and to what extent) Commonwealth privacy legislation applies to the land titles registry operator.

The ORG has not clarified whether an individual would complain about a privacy breach to the NSW or Australian Privacy Commissioner

Part 6 of the PPIP Act provides specific provisions for ‘public registers’ operated and maintained by NSW government agencies (noting that the private operator is deemed to be a NSW government agency by s. 39 of the enabling legislation for the transaction).

Part 6 of the PPIP Act sets out two specific protections for public registers held by NSW government agencies, these being:

• an agency keeping a public register must not disclose any personal information kept in the register unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept
• an individual may request that their personal information be suppressed from a public register if they can establish that its open inclusion would affect their safety or well-being.

However, clause 7 of the Privacy and Personal Information Protection Regulation 2019 exempts public sector agencies responsible for keeping certain prescribed public registers from the requirements set out in Part 6 of the PPIP Act. The registers operated and maintained under the land titles registry are included in the list of the public registers that are exempt from Part 6.

Accordingly, the two statutory protections specifically focused on public registers in the PPIP Act do not apply to the land titles registry.

While there are equivalent contractual restrictions in the concession deed, these measures are not accompanied by a statutory right for individuals to complain to the NSW Privacy Commissioner if their personal information is handled in a manner that would otherwise breach Part 6. In these same circumstances, for the reasons discussed above, it is also unclear whether an individual could complain to the Australian Privacy Commissioner if the potential breach relates to the private operator performing functions as a contract service provider to the NSW Government.

This jurisdictional complexity is further complicated by the private operator collecting different types of personal information, namely:

• personal information that must be collected onto registers to meet titling and registry legal requirements, such as the name of the title owner or mortgage information
• personal information that is collected by the private operator to support the operation and maintenance of the register and other products offered by the operator, such as payment and identity verification information.

The private operator publishes a detailed privacy policy on its website. This policy states that the private operator is required to comply with both the PIPP Act and Privacy Act, and to the extent of any inconsistency, it would comply with the latter. While this demonstrates a clear intention to ensure compliance with legislative privacy obligations, further clarity is required as to how this intention can be reconciled with the issues outlined above.

As the lead agency in managing the transaction and overseeing the preparation of its enabling legislation and concession arrangements, NSW Treasury could not provide evidence that the NSW Privacy Commissioner had been consulted during the drafting of either the enabling legislation for the concession transaction or the concession deed document.

The ORG has detailed policy and procedures for ordering the suppression of personal information on the land titles registry, although third-party information reseller arrangements mean that the ORG cannot ensure that personal information will be fully suppressed

The ORG may direct the private operator, as well as other parties, such as specific government agencies that use land registry information, to suppress personal information held on the land titles registry. Information about this option is provided on the ORG website. A suppression may be ordered in response to a request from a member of the public advising that their well-being or safety is at risk because the register may disclose their whereabouts.

In the 12 months to July 2024:

• 107 applications to suppress personal information were assessed
• 60 were accepted
• 47 were declined.

Due to the critical nature of name suppressions and the potential danger to the individual, it is a requirement that a suppression application be actioned on the day it is received by the private operator (when received during business hours).

The ORG has detailed policy and process documents for the suppression of personal information. These documents detail the information that is required to be provided by an applicant, as well as describing the decision-making process and how an accepted application will be actioned. The Suppression Policy requires the private operator and a specific government agency that uses and distributes land registry information to complete the suppression request within one business day.

Analysis performed by the ORG in September and October 2019 found that action in response to at least six suppression applications had been delayed by periods between three and six days. The ORG’s policy on the suppression of personal information now specifies that its privacy contact officer will actively monitor the action time of a suppression direction to ensure that the private operator actions any suppression order within one working day. For a sample period of January to June (inclusive) 2024, the ORG reported that the performance measure was met for each month. However, the complex flows of land titles information, and the multiple parties who may handle it, mean that it could reasonably be expected to take up to two weeks for suppression orders to be given full effect.

The audit reviewed a small sample of successful and unsuccessful suppression applications that had been received and determined during 2023–24. These are discussed below.

A sample of five successful applications highlighted the difficulties that the complexity of the land titles system poses in managing data. From the sample, it was found that the private operator actioned suppression orders in a timely manner. However, the time taken to action suppression orders was longer in the case of the government user.

When the government user receives a suppression notice from the ORG, it informs its seven data customers that they (and in turn their own unknown number of customers or resellers) have seven days to ‘remove all elements of personal information including the property sales information from any record held’. As the ORG is not a party to this data sharing arrangement and has no visibility of the agreements between the various parties, it has no mechanism to offer assurance about the effectiveness of the suppression process.

The ORG was able to demonstrate that the sample of unsuccessful suppression applications had been handled in accordance with its policy, including by explaining the process to the unsuccessful applicant and affording them the opportunity to provide further information.

The ORG is preparing a policy to explain the rights of the private operator, government agencies and other third parties to use land titles registry data for new services and products

The concession deed sets out a number of clearly defined ‘core services’ that the private operator is required to provide. In addition, the private operator may apply to the ORG for permission to use land titles registry data for other ‘non-core’ services. These non-core services can generate revenue for the private operator.

The NSW Government made clear when granting the concession that a policy objective was to promote innovation and improved customer service, including by permitting the private operator to develop new services, while also ensuring that the principles of the NSW Government Open Data policy were maintained. An objective of the Open Data policy is to promote the release of government data ‘… for use by the community, research, business and industry’ and to ‘inform the design of policy, programs and procurement’. The Open Data Policy is not a ‘free data’ policy but is based on the principle of ‘free, where appropriate’.

Under the concession deed, the private operator is entitled to claim compensation for prescribed ‘compensation events’. In broad terms, compensation events include where the private operator loses its exclusive right to maintain and operate the NSW land titles registry, including to facilitate authoritative searches of titles.

On 28 September 2021, the private operator submitted a claim for compensation under the concession deed. This claim concerned the use of data by the Spatial Services business unit of the department to create the NSW Spatial Digital Twin (‘Spatial Digital Twin’).

The Spatial Digital Twin is described by the department as ‘… a cross-sector, collaborative digital workbench for whole-of-government use, that will visualise location information, in a 4D model of the real world (3D plus time)’. It brings together many data elements from multiple sources across government, including information from strata plans registered in the land titles registry.

On 23 October 2021, the NSW Government rejected the private operator’s compensation claim. However, while rejected, the claim has not been withdrawn. The department has assessed the claim as being unfounded and, consistent with financial audit standards, it is not recorded as a liability in the department’s financial accounts. However, the department does include the claim in its ‘emerging issues return’ that agencies are required to provide to NSW Treasury.

It was beyond the scope of this audit to assess the merits of this specific claim. However, at a general level, the matter highlights that there may be different interpretations of the concession deed in regard to the permitted uses of land titles registry data and the related compensation provisions. This includes NSW Government agencies that had existing pre-concession rights to obtain data for specific purposes, as well as other system participants that obtain land titles data, such as ELNOs. If a common understanding is not established, then there are dual risks that:

• the potential for compensation claims may mute innovation in how NSW government agencies, and potentially others, use land titles registry data
• current or further claims for compensation by the private operator for uses of data by third parties may create financial liabilities for the State.

The concession deed includes provisions that permit certain government agencies to obtain land registry data. Those agencies may also enter into individual memoranda of understanding (MOU) with the ORG. These MOUs set out details about how and for what purposes each agency may obtain data. Consistent with the deed, the MOUs also permit agencies to use land titles registry data for ‘similar governmental purposes’ to those purposes specified in the concession deed. There is no guidance on the interpretation of ‘similar governmental purposes’.

The ORG first formally proposed an approach to resolve this matter in August 2021. However, it remains a live issue. The ORG’s annual priorities letter to the private operator for 2023–24 identified the need to achieve ‘clarity around the use of land registry data’, explaining that:

Achieving greater clarity in this matter remains one of the ORG’s annual priorities for both itself and the private operator for 2024–25. The ORG is developing a data use policy intended to assist in addressing risks around data use by clearly communicating to stakeholders the ORG's position on the use of data from the various registers operated under the concession. This policy was still in draft form during this audit.

The ORG has ensured that business continuity and recovery planning has been prepared for the land titles registry

The private operator is required by the concession deed to develop, submit and test a business continuity plan. During the concession, the private operator has met this requirement by providing the ORG with required and related documents, including its Business Continuity Plan, Business Continuity Management System and Disaster Recovery Strategy, as well as a third-party assessment of the adequacy of the planning.

The private operator is required to annually test its continuity planning. The audit team sighted evidence of third-party testing of the business continuity plan, as well as ORG feedback on the adequacy of business continuity plans and engagement with tests.

The audit team assessed a sample of business continuity plans provided by the private operator to the ORG against the applicable international standard (ISO 22332). In addition, a sample of incident management and recovery plans were assessed against both ISO 22332: 2022 and ISO 27035.1:2017.

The audit team found that while the plans did not expressly claim to be prepared in accordance with any formal standard, they were broadly consistent with the requirements of the standards. For example:

• there was evidence that sampled plans had been reviewed annually or as required as a result of organisational changes or post incident review
• assumptions for the operation of the plan, and intersections with other key documents were clear
• specific roles and team members, including alternates where available, were identified with defined roles and responsibilities
• where scenarios were detailed, there were specific steps and tasks clearly outlined
• plans contained rating frameworks that defined the criticality of events, and the subsequent recovery objectives.

The private operator also has a business continuity management framework that sits across business continuity plans for specific functions, as well as a disaster recovery strategy. These higher-level documents also provide detail on the operator’s requirements for more specific plans and processes to be tested. The business continuity management framework, for example, requires annual business continuity exercises to take place.

The ORG has a local business unit continuity plan, although this has not been tested

As part of Department of Customer Service business continuity planning, the ORG has a local business continuity plan for its own business unit. This plan addresses three specific critical business functions:

• managing the concession
• administering the TAF
• regulating ELNOs.

Each of these critical business functions has a maximum acceptable outage time of one day, with a recovery time objective of three days. The ORG has not tested these recovery time objectives, or the operation of continuity plans for critical business functions.

The alignment of regulator and operator response and recovery plans is a recent improvement that has been identified through joint scenario testing

A joint exercise was conducted in November 2023. An external cyber security consultant was commissioned to design and deliver a cyber incident response exercise between the department, the ORG and the private operator.

The consultant produced a report that identified strengths across the engaged stakeholders, including the collaborative culture with clear decision-making protocols, awareness of the current threat landscape, and active involvement and identification of areas of improvement.

The report broadly identified the need for interconnected communication plans, harmonised incident response plans and pre-defined authority to act as key opportunities for improvement. This was due to uncertainty regarding who should initiate contact with different parties, the need for enhanced coordination and uncertainty during the exercise about who had the authority to engage with the threat actor.

This seems to be the only joint exercise that has been conducted between the regulator and operator to date. No further joint exercises are currently planned.

The ORG has not tested whether it could use back-up data to operationally manage the land titles registry

The concession deed requires the private operator to provide the ORG with a daily back-up of the ‘core data’ contained in the land titles registry (except for core imaging repository data, which is subject to weekly back-up). This is consistent with pre-concession disaster recovery arrangements where core databases and transaction logs were replicated to an off-site disaster recovery centre daily.

The ORG has taken steps to ensure that the back-up data provided by the operator is reliable. The content of the back-ups provided by the private operator was validated by Department of Customer Service ICT in August 2024, with a regular automated testing protocol now in place. This was not always the case, as ORG audits of back-up data had identified deficiencies earlier in the concession.

While the ORG has access to accurate back-up data, the value of the back-ups and whether the ORG can effectively restore the state back-up (for example, if it is ever required to exercise its step-in powers) has not been determined. The audit was told ‘there is no guarantee’ that existing back-ups could be used to restore the system.

The appropriate use, utility and purpose of the state back-up is a current issue for the ORG. This issue was also identified in the 2023 strategic technology review, which noted the potential for developing a real time replica of the land titles registry data. As a result of this review, the ORG is reviewing best practice for the use of the state back-up, including analysing its purpose, situational need and methods to audit and assess back-ups in the future. These findings are due in mid-2025. Any changes to state back-up arrangements will likely require changes to the concession deed.

If future circumstances require the ORG to rely on the state back-up of the registry data, the ability of the ORG to use the state back-up would be critical, including if there was a technical or operational failure with the private operator. The ORG has commenced initial analysis on the required documentation, procedures and scenarios required to exercise its step-in powers. However, the ORG has not tested how effectively it could restore the state back-up, or how it would use the back-up data in practice, if it was needed.

There is evidence that the ORG has taken steps to identify regulatory weaknesses and areas for improvement

The ORG has several internal processes to identify and review issues around its own performance. These include weekly and fortnightly team meetings at various levels, quarterly executive meetings, and an annual team development day. The ORG also notes that a weekly email identifies good regulatory practice, however there is no formalised approach in terms of a framework that benchmarks the ORG’s performance in comparison to similar regulators or guides its continuous improvement processes.

The ORG has identified several internal improvement areas. These include workforce capability or capacity gaps and managing the risk of regulatory capture.

• Workforce capability: while the ORG has a small IT team, it does not have senior or strategic IT expertise. Workforce capability in this area is a key risk to the long-term regulation of the land titles registry. It was raised by several stakeholders in interviews with the audit team and identified as a risk in both the Strategic Technology Review, and the ORG’s 2023 annual team development day.
• Regulatory capture: ORG staff should refrain from becoming involved in discussions with the private operator and surveyors about plan issues, due to its role as the decision-making authority in administrative reviews.

The ORG is addressing a gap in strategic technology and regulatory practice capability to ensure it can effectively regulate the land titles registry in the long term

The land titles registry is an increasingly technology-focused system, having transitioned since the early 1980s from a paper-based system, where documents were submitted or searched for in-person, to a digital system with remote online access. This means that the ORG is increasingly regulating technology solutions and operations.

While the ORG has identified strategic technology expertise as a gap, it does not yet have a long-term capability development and retention plan. It has also not mapped its existing skills base to ongoing requirements of overseeing the concession deed and regulating the land titles registry. Its existing workforce plans respond to workforce survey findings and focus on developing and retaining its current workforce.

To address this capability gap in the immediate term, the ORG has engaged an external consultant to address strategic technology skills, reallocated its spending on consultancies to fund ongoing roles and requested support from Department of Customer Service ICT.

In 2024, as part of Fair Trading and Regulatory Services, the ORG was provided with a dedicated business information support officer from the department’s cyber security area who supports it with advice related to cyber security. Prior to this the ORG was also able to receive advice from the department’s Chief Information Security Officer. Advice has included risk assessments, responses to ad hoc requests and formal advice on reporting required from the operator. There is a potential risk in relation to this key role being outside the ORG’s structure and therefore not able to be fully managed by the ORG.

Broader Department of Customer Service ICT support has been more limited outside of cyber security. Leadership meetings have occurred inconsistently, for example, limiting ORG’s ability to influence the department’s ICT support.

The NSW Public Service Commission (now located within the Premier’s Department) has published a Strategic Workforce Planning Framework that provides guidance for agencies to understand and prepare for their future workforce needs. This framework identifies three levels of workforce planning.

• Strategic workforce planning: identifies actions and addresses challenges, risks and opportunities, entailing longer term planning covering a 3–5 year period. The framework notes that strategic planning is not ‘resource management to fill immediate operational needs’.
• Tactical workforce planning: specifies how work should be done in a specific area to efficiently achieve goals outlined in the strategic workforce plan.
• Operational workforce planning: Ensures daily work is done effectively.

ORG activity to address this capability gap is mainly tactical and operational. Quarterly executive meetings review resourcing needs with an 18-month time horizon, while the Strategic Workforce Planning Framework recommends a longer time horizon. Executive review assesses anticipated workload and, in addition to specific technological capability, has identified the need for additional capacity across the ORG in the areas of policy, regulation and cadastral integrity.

The ORG advises that it is currently reviewing the most effective approach to engaging strategic technology expertise and relies on expertise from within the Department of Customer Service for guidance on workforce planning.

The ORG’s wider regulatory context also creates capability needs in regulatory policy and practice. The ORG performs regulatory functions over a complex and multi-participant system. Its primary regulated entity, the private operator, has unique characteristics, being a monopoly exercising important titling functions using an asset that remains the property of the NSW Government.

At the same time, there are a range of other system participants, such as lawyers, conveyancers, surveyors and banks, who are primarily regulated by other bodies. The other main group of participants, the ELNOs, are themselves subject to new and dynamic market pressures as the industry evolves from a monopoly to a competitive market. The Australian Registrars' National Electronic Conveyancing Council has described a future-state in which multiple ELNOs inter-operate, resulting in a ‘growing compliance burden for government’ within ten years.

The concession deed contains mechanisms to support continuous improvement in the operation of the concession, including an optional five-year major review clause that has not yet been exercised

The concession deed provides for the ORG to conduct:

• ‘annual reviews’ of the operator’s performance, including its achievement of service levels and a review of its latest business plan, as well as a broad range of other matters
• ‘ad hoc and other reviews’, whereby the ORG may review or ‘spot check’ the operator’s performance of any core service provided under the concession
• a ‘major review’ of the operator’s performance under the deed no more than once every five years, including the extent to which the operator is acting consistently with the objectives of the concession and a broad range of other matters – a major review may also consider whether any changes are required under the concession deed.

The ORG conducts annual reviews of the private operator’s performance, including by reviewing and providing feedback on iterations of the private operator’s business plan. As discussed earlier, the ORG has also required the private operator to provide ad hoc reports on two occasions relating to the quality of the private operator’s plan examinations. While the annual priority letters described earlier in this report (see section 3) also encompass an element of performance review, that process is not a function of the concession deed.

To date, the ORG has not exercised its option to conduct a major review of the concession. The ORG did consider conducting a major review in 2022, but it was determined at the time that progressively evolving the concession using iterative contract variations agreed with the private operator was an adequate course of action.

The range of matters anticipated by the major review mechanism is substantial and would prompt consideration of matters that may not emerge iteratively or ad hoc, including matters that are more than simply routine or operational. For example, the major review mechanism provides for the review of significant and strategic matters, including those ‘… that were not anticipated as at the execution date, but which ought to be addressed having regard to the objectives’. Notwithstanding the long duration of the concession, and the complex and evolving environment in which it operates, the ORG has not commenced preparatory work to scope when, or in what circumstances, a major review would be appropriate.

Appendix 1 – Response from Department of Customer Service

Appendix 2 – Glossary

Appendix 3 – About the audit

Appendix 4 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #403 released 12 February 2025.

About this report

Bus services in metropolitan Sydney are provided by private operators under contract to the NSW government. Transport for NSW (TfNSW) determines bus timetables, routes, stops, and frequency, while the operators deliver the specified bus services.

This audit assessed the effectiveness of TfNSW’s design and management of metropolitan Sydney bus service contracts. The audit focused on the nine regions where services are provided under the Greater Sydney Bus Contract (GSBC).

Conclusion

TfNSW is not effectively managing bus contracts to ensure that operators are meeting contracted obligations and customer needs. It has not responded strategically to major changes in commuter, work and travel patterns on metropolitan bus services.

TfNSW identified significant gaps in its strategic contract management capacity since 2022 but has not sufficiently addressed these. As a result, it has not undertaken essential medium to long term strategic activities required to effectively manage the GSBCs. It has not conducted a holistic, systematic review of service levels across all regions to fully address the impacts of the post-COVID-19 period, and other changes such as new infrastructure and travel options like the Sydney Metro M1 line.

First stop on time running has stabilised since January 2023. However, operators are not consistently meeting their performance obligations for on time running, cancelled trips and customer complaints.

There are gaps in TfNSW’s contract management specific procedures and delegations. These gaps mean that the risks of inappropriate exercise of delegations, non compliance with contractual requirements and/or inappropriate use of public funds are not fully addressed.

Recommendations

The audit recommends that TfNSW improve the capacity of its bus contracts management team. It should also close the gaps in its contract management specific procedures and delegations, and start regularly auditing operator responses to customer complaints.

TfNSW should implement strategic planning, including enhanced data analytics, aimed at improving bus operator performance.

On time running (OTR), customer complaints, tracking rates, and cancelled and incomplete trips are important key performance indicators (KPIs) as they represent significant facets of the customer experience.⁷ This chapter considers OTR KPIs in detail, since the start of the Greater Sydney Bus Contract (GSBCs).

OTR is defined in Schedule 4 of the GSBC with three KPIs – first, mid and last stop OTR. All three are measured as the percentage of timetabled bus trips that are on time at the specified location. GSBC operators are required to report to Transport for NSW (TfNSW) on these three KPIs every month.

For the first and mid stops ‘on time’ is defined as between 59 seconds early and five minutes and 59 seconds late compared to the timetable.

TfNSW has advised that mid transit stop OTR has been incorrectly calculated for multiple GSBC regions and that it was in the process of re-calculating this KPI for the operators that were affected. As a result, we do not report mid transit stop OTR numbers here or draw any conclusions about them.

OTR for the last transit stop on a route is measured as a percentage of bus trips arriving on time, where ‘on time’ is defined as no later than five minutes and 59 seconds after the timetable arrival time.

First stop OTR has decreased over the duration of the GSBCs, but it has stabilised in the period from January 2023 to May 2024

Figure 8 shows the aggregated first stop OTR performance data across metropolitan Sydney as a whole (excluding region 6) for the duration of the GSBCs. It also reflects advice received from TfNSW that there is a change in bus operator performance in January 2023 and splits the time period accordingly (April 2022 to December 2023 and January 2023 to May 2024).

During the audit, TfNSW emphasised the impact of the bus driver shortage on bus service performance against KPIs, as well as seasonal effects in OTR performance. Therefore, Figure 8 also shows the reported driver shortages for each month from June 2022, as well as the January and February seasonal effects.

Figure 8 shows that, while there is an overall downward trend in performance, first stop OTR becomes stable after January 2023. Prior to that point in time, performance was declining.⁸

This chapter considers operator performance against key performance indicators (KPIs) for bus tracking rates and cancelled and incomplete trips. From the perspective of bus passengers, tracking is important to ensure timetables and real-time data are accurate and reflects the reality of the services they are receiving. Tracking is also essential for the measurement of on time running (OTR) and cancelled and incomplete trips.

This chapter considers operator performance based on customer complaints received. Customer complaints are defined in Schedule 4 of the Greater Sydney Bus Contract (GSBC) as any report of a negative experience in relation to a bus service in the categories of ‘complaint’ and ‘feedback’. This excludes vexatious complaints, and any complaints about issues that are within Transport for NSW’s (TfNSW) control and not the operators.

Customer complaints have increased since the start of the GSBC

The number of customer complaints about bus services over the entire GSBC area has increased over time. The number of complaints per 100,000 boardings in May 2024 is approximately double that in April 2022 (28.9 complaints per 100,000 boarding compared to 14.4), reflecting increasing customer dissatisfaction with the services delivered.

Complaints are measured using several key performance indicators (KPIs) that represent factors such as the number of complaints per 100,000 boardings and the time it takes operators to respond to complaints. Figure 12 represents the number of customer complaints per 100,000 boardings across the GSBC operators over the GSBC period.

Appendix 1 – Response from Transport for NSW

Appendix 2 – The evolution of bus contracting in NSW from 2003

Appendix 3 – About the audit

Appendix 4 – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #402 - released 29 January 2025.

About this report

NSW Ambulance delivers emergency and non emergency medical services and transport to patients in New South Wales, and connects patients who do not need an emergency medical response with the most appropriate health provider.

NSW Ambulance operates as part of a network of public health services. 

This audit assessed the efficiency and effectiveness of ambulance services in regional New South Wales.

Findings

NSW Health is maintaining effective ambulance services in regional New South Wales, despite increasing demand. 

NSW Ambulance and the Ministry of Health use effective governance arrangements to monitor regional ambulance performance. NSW Ambulance and Local Health Districts (LHDs) communicate effectively to manage day-to-day operational challenges. However, the audit identified opportunities to improve the Ministry’s oversight of regional performance, and to enhance information sharing between NSW Ambulance and LHDs.

NSW Health is working to identify opportunities to reduce demand on the NSW Ambulance fleet and hospital emergency departments in regional New South Wales.

NSW Ambulance undertakes holistic service planning to efficiently deliver ambulance services in regional New South Wales.

Recommendations

The audit recommends that:

• The Ministry of Health, eHealth and NSW Ambulance implement a new NSW Ambulance Electronic Medical Record system
• The Ministry of Health and NSW Ambulance improve system oversight, monitoring and reporting of ambulance performance at the regional and metropolitan level
• The Ministry of Health finalise its Transport for Health strategy and undertake a review of all non-emergency patient transport operators across the state
• NSW Ambulance and LHDs improve strategic engagement with other NSW Health entities.

NSW Ambulance is a front line health service provider, delivering emergency and non-emergency medical services and transport to patients in New South Wales. It provides medical help to patients experiencing life-threatening injuries (referred to as high acuity patients), illness, and trauma, and connects patients who do not need an emergency medical response (referred to as low acuity patients) with the most appropriate health provider.

NSW Ambulance operates as part of a network of public health services. For NSW Ambulance to efficiently transfer patients to hospitals, hospitals need to have sufficient capacity to accept new patients. In regional contexts, distance is an important factor in the effective delivery of ambulance services.

The objective of this audit is to assess the efficiency and effectiveness of ambulance services in regional New South Wales, by answering the following questions:

1. Does NSW Health work effectively and efficiently to deliver ambulance services in regional and rural New South Wales?
2. Is NSW Health effectively and efficiently planning and allocating ambulance services in regional New South Wales?
3. Is the effectiveness of ambulance services in regional and rural New South Wales increasing over time?

The NSW Health agencies included in this audit are NSW Ambulance, the Ministry of Health, Murrumbidgee and Southern NSW Local Health Districts, eHealth NSW and HealthShare NSW.

The Ministry of Health expects Local Health Districts and state wide health services (such as NSW Ambulance) to engage and collaborate with stakeholders throughout service planning, but it is unclear whether the Ministry ensures that this occurs

The Ministry of Health is responsible for setting policy and strategy direction for the overall NSW Health system and provides guidance to all NSW Health entities (including Local Health Districts and NSW Ambulance) to inform service planning. Local Health Districts are responsible for ensuring that relevant policy objectives are achieved through the planning and funding of the range of health services that best meet the needs of their communities.

Service plans describe how services will achieve measurable health improvements and outcomes. NSW Health entities create service plans within a broader framework of system-wide goals, objectives and priorities. The Guide to Service Plans notes the importance of active and inclusive stakeholder engagement and requires that stakeholders should be engaged throughout the planning process. It also notes that state-wide health and shared services impacted by planning should be engaged to assist with the assessment of service requirements and resource implications.

The audit identified several examples of service plans and key initiatives developed within Southern NSW Local Health District which directly related to ambulance services, but where NSW Ambulance was not identified as a stakeholder. These include:

• A business case for a new MRI service at Goulburn hospital: prior to the establishment of MRI services in Goulburn, there were no MRI services available within Southern NSW Local Health District, with the closest available provider located in Bowral (a private provider) or at the Canberra Hospital. This business case included decreased reliance on patient transport for imaging as a benefit.
• The clinical service plan for Batemans Bay Community Health Centre (which will provide urgent care services in Southern NSW Local Health District).

Southern NSW Local Health District included NSW Ambulance as a stakeholder in cross-border service planning, including NSW Ambulance as a signatory in a cross-border memorandum of understanding for stroke patient transfers between Southern NSW Local Health District, Murrumbidgee Local Health District, Canberra Health Services and NSW Ambulance.

In Murrumbidgee Local Health District, the audit identified one example of the Local Health District including NSW Ambulance as a stakeholder in planning activities. In an updated terms of reference document for the Cootamundra Partnership Reference Committee, which was established to develop a new Health Service Plan for the Cootamundra Health Service, NSW Ambulance has been included as an invitee to this forum.

No health entities undertake whole-of-system service planning for non-emergency patient transport services in rural and regional New South Wales

Non-emergency patient transport services in regional and rural Local Health Districts are provided by HealthShare NSW (in Hunter New England Local Health District and Illawarra Shoalhaven Local Health District), Local Health Districts and NSW Ambulance. Both Southern NSW Local Health District and Murrumbidgee Local Health District engage private providers and community transport providers to supplement their patient transport capacity. When non-emergency patient transport services are at capacity, Local Health Districts rely on NSW Ambulance to assist with facilitating patient transfers.

Despite these challenges, there is no whole-of-system approach to service planning for patient transport. Whole-of-system planning would enable NSW Health to better manage risk and reduce reliance on the use of the NSW Ambulance fleet for patient transport in rural and regional New South Wales.

NSW Ambulance undertakes holistic service planning, but it did not engage Local Health Districts as stakeholders in the development of its recent Clinical Services Plan

As a state-wide health service, NSW Ambulance’s service planning broadly reflects the key deliverables articulated in its Service Agreement with the Secretary of Health. The Ministry of Health, in its responsibility for planning key services and as the ‘purchaser’ of ambulance services, ensures that NSW Ambulance service planning gives regard to the broader strategic policy environment.

In 2023, NSW Ambulance developed a new Clinical Services Plan 2024–2029 which includes a focus on supporting innovative approaches to clinical redesign and the delivery of new clinical programs. This includes strengthening collaboration between NSW Ambulance and Local Health Districts (particularly in care models for smaller rural communities and the involvement of paramedics in care and management of patients with chronic diseases).

NSW Ambulance consulted with the Ministry in the development of the Clinical Services Plan. It advised the audit that as the Clinical Services Plan largely reflects the objectives contained in its Strategic Plan, specific consultation with Local Health Districts was not required.

While NSW Ambulance is currently developing a five-year roadmap for the implementation of its Clinical Services Plan, it is unclear how NSW Ambulance intends to implement and resource these objectives in a timeframe that complements similar work across NSW Health.

The Southern NSW Local Health District Clinical Services Plan does not include specific consideration of the provision of patient transport and it is not clear whether it consulted NSW Ambulance during development

Southern NSW Local Health District’s 2023–28 Clinical Services Plan notes development of the plan was informed by local, state and national strategic directions for the health system, as well as outcomes and recommendations of relevant NSW Health and local reviews and inquiries.

Southern NSW Local Health District identified five focus areas in its 2023–28 Clinical Services Plan:

• Supporting health and wellbeing through primary, secondary, and tertiary prevention
• Providing care closer to home
• Ensuring the sustainability of our existing services
• Planning for growth and ageing in our population
• Ensuring equity of access to care.

The Southern NSW Local Health District conducted community stakeholder consultation during development of its Clinical Services Plan, which resulted in feedback relating to challenges accessing health services. Community consultation feedback provided to Southern NSW Local Health District included the below key points relating to transportation to access health services:

• a lack of public and/or private transport to and from health facilities
• the additional burden on rural residents to access health care, noting that rural communities are often long distances from tertiary facilities
• difficulties with transportation, noting community transport options are limited and it can be difficult to coordinate timing.

Southern NSW Local Health District’s Clinical Services Plan acknowledges the District consulted with internal stakeholders and other service providers to develop the plan, however, it is not clear whether Southern NSW Local Health District included NSW Ambulance in consultation for feedback. Additionally, while actions to address the areas of focus for the Clinical Services Plan relate to more localised access to care and delivery of care, as well as increased capacity and access, the plan does not include any actions specific to the provision of health related transportation.

Southern NSW Local Health District has committed to improve access to clinical services in rural and remote settings through the delivery of virtual care models

In its 2023-28 Clinical Services Plan, Southern NSW Local Health District commits to establishing a single point of entry so that patients can access appropriate care in ‘the right place, at the right time’ through (among other actions), an enhancement and expansion of its Virtually enhanced Community Care program and establishment of the Virtual Rural Generalist Service.

This audit identified some examples of Local Health Districts partnering to improve access to clinical service in rural and remote settings. In Southern NSW Local Health District, the Local Health District has partnered with Western NSW Local Health District to implement the Rural Virtual Generalist Service in smaller facilities across the District.

NSW Ambulance’s workforce planning effectively considers demand, workload, coverage, and capability requirements and it uses this evidence to allocate personnel and other resources to efficiently deliver ambulance services in regional New South Wales

NSW Ambulance has a well evolved and evidenced service planning methodology. NSW Ambulance established a service planning capability in 2010, and the current methodology (developed in 2022–23) includes analysis at the station and local network level of demand projections, staffing levels required, the drivers of effective and efficient supply provision, models of care, specialty resources and capital and infrastructure requirements. It includes a substantial focus on station location and the type of resource required.

Service planning informs (and is informed by) benefits realisation for new programs and initiatives (such as SWEP, SWIFT). NSW Ambulance has also developed a model to assess ‘unmet demand’ which it uses when determining sites for potential resource allocation and supplementation. NSW Ambulance continuously monitors its need and priority for additional or enhanced ambulance services and considers the following criteria:

• volume of demand in town and surrounding area
• distance from any ambulance service
• current response times to emergency incidents
• modelled improvement in response times if an ambulance station was commissioned
• assessment of capacity and condition of closest ambulance station
• capacity of NSW Ambulance volunteer service to provide a response.

NSW Ambulance continuously reviews key inputs into the service planning methodology, in particular its demand project methodology.

The main output of NSW Ambulance’s service planning methodology is the creation of a whole-of-state service model which describes the clinical service levels for each ambulance station. A station’s clinical service level determines both the number of clinical staff required and its specific roster pattern, as well as the staff type (graduate paramedic, specialist paramedic, etc.). NSW Ambulance then creates station rosters in alignment with this model.

In addition to the demand- and activity-based evidence sources NSW Ambulance uses to inform its service planning, NSW Ambulance includes evidence-based analysis in its business cases to support NSW Government funding requests, which also contain thorough descriptions of how the proposed funding would be allocated.

Recent investments in the regional paramedic workforce have allowed NSW Ambulance to reduce the use of on-call rostering and improve the working conditions of regional paramedics

NSW Ambulance rostering practices allow for some stations to utilise on-call resources, which can cause fatigue among paramedics rostered on shift following an on-call period.

Announced in the 2018–19 NSW Budget, the NSW Government announced funding for the recruitment of an additional 750 FTE paramedic and call-centre staff over four years commencing in 2018–19. The Statewide Workforce Enhancement Program (SWEP) was designed by NSW Ambulance to enable improvements in efficiency, coverage, quality, safety and performance across New South Wales and achieve response performance targets.

The SWEP business case detailed the extent to which NSW Ambulance relied upon various forms of premium labour in order to maintain service delivery and to meet community expectations in terms of response performance. The SWEP business case identified that $20 million in premium labour savings after the four-year implementation program would be achieved by reducing over-reliance on overtime.

SWEP resulted in an additional 376 FTE positions across ambulance stations in regional NSW, and allowed NSW Ambulance to reduce on-call rostering:

• 22 regional/rural locations were converted to a 24/7 operating model removing overnight on-call
• Removal of on-call at four locations that were previously operating on a 24/7 roster with overnight on-call
• Reduction in on-call at eight locations.

NSW Ambulance measured premium labour savings achieved by monitoring callouts, crib-penalty payments, and dropped-shift overtime. In August 2022, as part of an internal review of the SWEP program, NSW Ambulance noted that the SWEP program achieved the reduction in premium labour expenditure and improved the working conditions of regional paramedics.

NSW Ambulance anticipates that recent changes to funding arrangements will result in a key program not achieving its intended benefits

In June 2022, the NSW Government announced a $1.76b investment in NSW Ambulance over a four-year period to fund 210 ambulance support staff (including the ongoing establishment of NSW Ambulance’s Virtual Clinical Care Centre (VCCC)), 1,878 new paramedics, 52 nurses, eight doctors, and build 30 stations.

Known as the Strategic Workforce InFrastructure Team program (SWIFT), NSW Ambulance designed the program to meet two objectives:

• firstly, to improve patient outcomes, and the probability of survival from immediately life threatening conditions.
• to achieve compliance with WHS obligations through the reduction of overrun shifts, overtime, and increase staff meal breaks.

When it was announced as part of the 2022–23 NSW Government budget, SWIFT was designed as a four-year program. However, recent changes to funding arrangements have changed the SWIFT timeframe and the program will now be delivered over seven years (at the same cost).

One of the key objectives of the SWIFT business case was to improve patient outcomes and the probability of patient survival by achieving response times within 15 minutes for 85% of P1 incidents by 30 June 2026. NSW Ambulance regularly reports and tracks performance on SWIFT indicators, and advises that as at 21 December 2023, the program was on track to meet the target.

NSW Ambulance modelled that the impact of extending the funding window from four years to seven years would add three years of additional demand growth and result in the program failing to achieve the 85% target by June 2026.

Appendix one – Response from agency

Appendix two – NSW Ambulance performance data

Appendix three – NSW Ambulance regional station map

Appendix four – NSW Ambulance key performance indicators

Appendix five – Types of patient transport operational across New South Wales

Appendix six – Scheduled psychiatric interhospital patient transfers

Appendix seven – NSW Ambulance governance bodies

Appendix eight – About the audit

Appendix nine – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

 Parliamentary reference - Report number #398 released 27 June 2024.

About this report

This audit assessed the effectiveness of the Department of Communities and Justice (DCJ) in planning, designing, and overseeing the NSW child protection system.

The audit used 'follow the dollar' powers to assess the performance of five non-government organisations (NGOs), that were contracted to provide child protection services. More information about how we did this is included in the full report.

Findings

The NSW child protection system is inefficient, ineffective, and unsustainable.

Despite recommendations from numerous reviews, DCJ has not redirected its resources from a ‘crisis driven’ model, to an early intervention model that supports families at the earliest point in the child protection process.

DCJ's organisational structure and governance arrangements do not enable system reform.

DCJ has over 30 child protection governance committees with no clarity over how decisions are made or communicated, and no clarity about which part of DCJ is responsible for leading system improvement.

DCJ's assessments of child protection reports are labour intensive and repetitive, reducing the time that caseworkers have to support families with services.

DCJ has limited evidence to inform investments in family support services due to a lack of data about the therapeutic service needs of children and families. This means that DCJ is not able to provide relevant services for families engaged in the child protection system. DCJ is not meeting its legislated responsibility to ensure that families have access to services, and to prevent children from being removed to out of home care.

DCJ does not monitor the wellbeing of children in out of home care. This means that DCJ does not have the information needed to meet its legislative responsibility to ensure that children 'receive such care and protection as is necessary for their safety, welfare and well-being’.

In August 2023, there were 471 children living in costly and inappropriate environments, such as hotels, motels, and serviced apartments. The cost of this emergency accommodation in 2022–2023 was $300 million. DCJ has failed to establish ‘safe, nurturing, stable and secure’ accommodation for children in these environments.

Since 2018–19, the number of children being returned to their parents from out of home care has declined. During the five years to 2022–23, families have had limited access to restoration services to support this process.

Recommendations

The audit made 11 recommendations to DCJ. They require the agency to identify accountability for system reform, and to take steps to ensure that children and families have access to necessary services and support.

The child protection system aims to protect children and young people under 18 years old from risk of abuse, neglect, and harm. In NSW, child protection services can include investigations of alleged cases of child abuse or neglect, referrals to therapeutic services for family members, the issuing of care and protection orders, or the placement of children and young people in out of home care if it is deemed that they are unable to live safely in their family home.

A key activity in the child protection process is to determine whether a child is at ‘risk of significant harm’ as defined by Section 23 of the Children and Young Persons (Care and Protection) Act 1998. The Act describes significant harm as when ‘the child's or young person's basic physical or psychological needs are not being met or are at risk of not being met'. The Department of Communities and Justice (DCJ) has developed a process for determining risk of significant harm. It requires multiple assessments of child concern reports and at least two separate assessments of the child in the home. This process can take a number of months, and until all of these activities are complete, DCJ describes the child as suspected or presumed to be at risk of significant harm.

DCJ has primary responsibility for the child protection system in NSW. DCJ is both a provider of child protection services and a purchaser of child protection services from non-government organisations (NGOs). As system steward, DCJ has a role to establish the policy environment for child protection services and operations. In addition, DCJ is responsible for all governance and reporting arrangements for the commissioned NGOs that deliver services on its behalf, as well as for the governance and reporting arrangements of its own DCJ staff. DCJ must ensure that the child protection system is achieving its intended outcomes – to protect and support children in ways that meet their best interests - as described in legislation.

This audit assessed the effectiveness of DCJ’s planning, design, and oversight of the statutory child protection system in NSW. We assessed whether DCJ was effective in ensuring:

• there is quality information to understand and effectively plan for child protection services and responses
• there are effective processes to manage, support, resource, and coordinate child protection service models and staffing levels
• there is effective oversight of the quality and outputs of child protection services and drivers of continuous improvement.

To do this, the audit assessed the statutory child protection system with a particular focus on:

• initial desktop assessments and triaging of child protection reports
• family visits and investigations of child protection reports
• case management services and referrals to services
• the management of all types of care and protection orders
• the assessments and placements of children in out of home care.

The audit also assessed the performance of five NGOs that provide commissioned child protection services. Collectively, in 2021–2022, the five audited NGOs managed approximately 25% of all out of home care services in NSW. The policies, practices, and management reporting of the five NGOs was assessed for effectiveness in relation to the following:

• quality of data used to understand service requirements
• arrangements for operational service delivery to meet identified needs
• governance arrangements to deliver safe and quality out of home care services under contract arrangements with DCJ.

This audit was conducted concurrently with another audit: Safeguarding the rights of Aboriginal children in the child protection system.

The child protection system aims to protect children and young people (aged less than 18 years) from the risks of abuse, neglect, and harm. Child protection services can include investigations, (which may or may not lead to substantiated cases of child abuse or neglect), care and protection orders, and out of home care placements.

The Department of Communities and Justice (DCJ) has statutory responsibility for assessing whether a child or young person is in need of care and protection. DCJ’s Child Protection Helpline receives and assesses reports of possible child abuse or neglect. If the information in the report is assessed as meeting a threshold for risk of significant harm, DCJ caseworkers at Community Service Centres investigate the report and decide on a course of action. Follow-up actions can include referring the family to services, visiting the family to conduct ongoing risk and safety assessments of the child, or closing the case. If a child is determined to be unsafe, the child may be removed from the family home and placed in out of home care.

Non-government organisations (NGOs) are funded by the NSW Government to provide services to children and young people who require out of home care and other support services. NGOs provide approximately half of all out of home services in NSW, and DCJ provides the other half.

Government agencies such as Health, Education and Police also play a role in child protection processes, particularly in providing support for children and families where there are concerns about possible abuse or neglect. NSW Health provides some support services for families, along with the Department of Communities and Justice. Exhibit 1 shows some headline child protection statistics for NSW in 2022–2023.

Source: Audit Office summary of DCJ data on child protection statistics.

DCJ has not made progress in shifting the focus and resources of the child protection system to an early intervention model of care, as recommended by major system reviews

DCJ has not readjusted its resource profile so that its operating model can take a more preventative approach to child protection. A preventative approach requires significant early intervention and support for families and children soon after a child has been reported as being at risk of significant harm. This approach has been recommended by a number of reviews into the child protection system.

In 2015, the Independent Review of Out of Home Care in New South Wales recommended an investment approach that uses client data and cost-effective, evidence-based interventions to reduce entries to out of home care and improve outcomes for families and children.

The NSW Government response to the Independent Review of Out of Home Care in New South Wales was a program entitled: Their Futures Matter. This program commenced in November 2016 and was intended to place vulnerable children and families at the heart of services through targeted investment of resources and services. A 2020 report from our Audit Office found that ‘while important foundations were laid and new programs trialled, the key objective of establishing an evidence-based whole of government early intervention program … was not achieved. The majority of $380 million in investment funding remained tied to existing agency programs, with limited evidence of their comparative effectiveness.’

DCJ’s expenditure since 2018–2019 shows that most additional funding has been used to address budget shortfalls for out of home care, and to expand the numbers of frontline case workers. Budget increases show that during the period from 2018–2019 to 2022–2023, DCJ’s expenditure on out of home care increased by 36%, and expenditure on caseworkers increased by 26%. DCJ’s expenditure on family support services, including early intervention and intensive support services, increased by 31% during the audit period.

These resourcing priorities indicate that DCJ has not shifted its focus or expenditure in ways which reorient the child protection system. DCJ has not dedicated sufficient resources to early intervention, and therapeutic support for families and children, in order to implement the recommended changes made by systemwide child protection reviews.

In 2019, the Family is Culture Review recommended increased investment in early intervention support services to prevent more Aboriginal children entering out of home care, with a preference for these services to be delivered by Aboriginal Community Controlled Organisations. Progress towards enhancing a culturally appropriate service profile has been limited. DCJ last published progress against the Family is Culture recommendations in August 2021, when it reported that projects to increase financial investment in early intervention services were under review.

Data from March 2023 shows that 89% of the DCJ-funded, family support service volume across NSW is delivered by mainstream providers compared with ten per cent provided by Aboriginal Community Controlled Organisations, and one per cent by culturally specific providers. Given that Aboriginal children make up approximately half of all children in out of home care, there is still significant work required to shift the service profile.

DCJ’s governance arrangements are not structured in a way that ensures transparency and accountability for system reform activity and service improvements

DCJ’s organisational structure reflects multiple operational and policy functions across its three branches - the Commissioning Branch, the Operational Branch, and the branch responsible for Transforming Aboriginal Outcomes. Some branches have responsibility for similar functions, and it is not clear where overall executive-level accountability resides for system reform. For example, all three branches have a policy function, and there is no single line of organisational responsibility for this function, and no indication about which branch is responsible for driving system reform.

DCJ has over 30 governance committees and working groups with responsibilities for leadership and oversight of the statutory child protection and out of home care system. DCJ’s governance committees include forums to provide corporate and operational direction, to make financial and resourcing decisions, and to provide leadership and program oversight over the different functions of child protection and out of home care. Some committees and working groups oversee DCJ’s activity to meet government strategic priorities and respond to the findings and recommendations of child protection and out of home care reviews and commissions of inquiry.

Much of DCJ’s work in child protection and out of home care is interdependent, but its governance arrangements have not been structured in a way that show the lines of communication across the Department. There is no roadmap to show the ways in which decisions are communicated across the various operational and corporate segments of DCJ’s child protection and out of home care business operations.

In 2022, DCJ commenced activity to reorganise its operational committees into a four-tier structure, with each tier representing a level in the hierarchy of authority, decision-making and oversight. Draft documents indicate the ways in which the new organisational structure will facilitate communication through the different business areas of DCJ to the Operations Committee where most of the high-level decisions are made or authorised before being referred to the Executive Board for sign off. The new governance arrangements indicate a more transparent process for identifying Department and divisional priorities across policy and programs, though the process for reforming governance processes was not complete at the time of this audit.

DCJ’s strategic planning documents do not contain plans to address the pressure points in the child protection system or address the increasing costs of out of home care. After the merger of the Department of Family and Community Services (FACS) and the Department of Justice, DCJ’s Strategic Directions 2020–2024 document sets out the direction for the expanded Department in generalised terms. While it describes DCJ’s values, and describes an intention to improve outcomes for Aboriginal people and reduce domestic and family violence, it does not contain enough detail to describe a blueprint for Departmental action.

In April 2023, DCJ published a Child Safe Action Plan for 2023 to 2027. This plan includes a commitment to hear children’s voices and to ‘improve organisational cultures, operations and environment to prevent child abuse’. In September 2023, the NSW Government committed to develop ‘long-term plans to reform the child protection system and repair the budget, as part of its plan to rebuild essential services and take pressure off families and businesses'. Any activity to implement these commitments was not able to be audited, as it was too soon to assess progress at the time of this report publication.

DCJ’s expenditure priorities predominantly reinforce its longstanding operating model – to focus on risk assessments and out of home care services rather than early intervention

More than 60% of DCJ’s budget for child protection is spent on out of home care. In the five years from 2018–2019, DCJ’s expenditure on out of home care increased by 36% from $1.39 billion in 2018−19 to $1.9 billion in 2022–23.

During the same timeframe, DCJ’s expenditure on risk report assessments and interventions at the Helpline and Community Service Centres increased by 25%. It grew from $640 million in 2018–2019 to $800 million in 2022–2023. This not only reinforced the existing model of child protection, it expanded upon it, at the expense of other activity.

While DCJ’s expenditure on family support services increased by 31% from $309 million in 2018–2019 to $405 million in 2022–2023, it remains a small component of DCJ’s overall expenditure at 13% of the total budget spend in 2022−2023, as shown at Exhibit 6.

Note: Expenditure is actual spending in each year, not adjusted for inflation. Totals may be more than the sum of components due to rounding. percentages may not sum to 100 due to rounding.

Source: Audit Office analysis of Productivity Commission data published in Reports on Government Services 2024, Table 16A.8.

DCJ has not done enough to support the transition of Aboriginal children to the Aboriginal community controlled sector as planned

In 2012, the NSW Government made a policy commitment to ensure the transfer of all Aboriginal children in out of home care to Aboriginal Community Controlled Organisations. DCJ acknowledges that over the past 12 years, the NSW Government has made limited progress in facilitating this transition.

In June 2023, a total of 1,361 children were managed by Aboriginal Community Controlled Organisations across NSW. At the same time, 1,746 Aboriginal children were being case managed by non-Aboriginal NGO providers, and 3,456 Aboriginal children were case managed by DCJ. In total there were 5,202 Aboriginal children waiting to be transferred to Aboriginal Community Controlled Organisations in June 2023.

The transition process was planned and intended to occur over a ten year timeframe from 2012 to 2022. This has not been successful. DCJ has revised its timeframes for the transition process, and now aims to see the transfer of the ‘majority’ of Aboriginal children to Aboriginal Community Controlled Organisations by June 2026. At the current rate of transition, it would take over 50 years to transfer all 5,202 children to Aboriginal Community Controlled Organisations, so this timeframe is ambitious and will require close monitoring by DCJ.

The cost of transitioning all 5,202 Aboriginal children from DCJ and the non-Aboriginal NGOs to the Aboriginal Community Controlled sector will add close to $135 million to the NSW Government out of home care budget. The increased costs are due to the higher costs of administration, accreditation, and oversight of services provided by the Aboriginal Community Controlled sector.

DCJ has prioritised the transfer of Aboriginal children from non-Aboriginal NGOs to Aboriginal Community Controlled Organisations before the transfer of Aboriginal children from DCJ’s management. This prioritisation is due, in part, to the fact that most of the non-Aboriginal carers of Aboriginal children are with NGOs. NGO contract requirements should have been one of the drivers of the transition of Aboriginal children to Aboriginal Community Controlled Organisations.

The most recent NGO contracts, issued in October 2022, required that NGOs develop an Aboriginal Community Controlled transition plan by 31 December 2022. This timeframe was extended to 30 June 2023. All of the NGOs we audited have now prepared detailed transition plans for the transition of Aboriginal children, including service plans that identify risks and document collaborative efforts with Aboriginal Community Controlled Organisations.

One important requirement in the success of the transitions, is the willingness of carers to switch from their existing NGO provider to an Aboriginal Community Controlled Organisation. During the period of this audit DCJ failed to provide sufficient information to carers, to assure them of the NSW Government’s commitment to the transition process. Since July 2023 DCJ has written to carers of Aboriginal children case managed by non-Aboriginal Community Controlled Organisations and provided them with more information about the transition process.

NGOs have had limited success in transitioning Aboriginal children to Aboriginal services, and can do more to report on activity, so that system improvements can be made

Non-Aboriginal NGOs have had limited success in transferring Aboriginal children to the Aboriginal-controlled out of home care sector. For example, of the approximately 1,700 Aboriginal children that were managed by non-Aboriginal providers in 2022–2023, 25 Aboriginal children were transferred from non-Aboriginal NGOs to Aboriginal Community Controlled Organisations in that year. While DCJ controls the key drivers in this transition, there is limited evidence that NGOs have initiated consultations with Aboriginal Community Controlled Organisations during the audit period.

NGOs advised that some of their carers do not want to transition to Aboriginal Community Controlled Organisations, and this is slowing the transfer process. NGO contracts in force until September 2022 required that: ‘The express agreement of carers must be sought prior to the transfer of an Aboriginal Child to an Aboriginal Service Provider.’ This audit was not able to verify the extent to which carers have resisted the move to Aboriginal Community Controlled Organisations.

DCJ did not provide NGOs with sufficient direction, coordination, or governance through its contract arrangements to effect transitions from non-Aboriginal NGOs to Aboriginal NGOs. DCJ has established a project control group with representatives from NGO peak bodies and has set up an internal program management office to manage the transition.

There are limited drivers for the transition of Aboriginal children to Aboriginal-controlled services, and financial risks for both Aboriginal Community Controlled Organisations and non-Aboriginal NGOs in the process

Aboriginal Community Controlled Organisations and non-Aboriginal NGOs are carrying significant financial risk due to a lack of certainty in the transition process of Aboriginal children to the Aboriginal Community Controlled sector. These agencies are responsible for planning and making changes to their business models in order to facilitate the transition process. DCJ does not provide funds for this activity.

Some non-Aboriginal NGOs have high numbers of Aboriginal children in their care. These agencies risk financial viability if children and their carers are transitioned in a short space of time. There is a degree of uncertainty about the timelines for transitions to Aboriginal Community Controlled Organisations, and the numbers of children that will be transitioned at any given time.

Non-Aboriginal NGOs are not in a position to require Aboriginal Community Controlled Organisations to take Aboriginal children. Similarly, Aboriginal Community Controlled Organisations cannot compel the transition of children to their care. There are no real system drivers for this activity, and some financial disincentives for NGOs supporting large Aboriginal caseloads.

Throughout 2023, some Aboriginal Community Controlled Organisations have been upscaling their businesses to prepare for the transition of Aboriginal children to their care. They have employed additional caseworkers and enhanced administrative and infrastructure arrangements to take on new children, without receiving new intakes. They report that they have been financially disadvantaged by the failure of the transition process. Aboriginal Community Controlled Organisations advise that they don’t expect confirmation of the child transition process and timelines until 2024 and must carry the financial consequences of upscaling.

DCJ does not collect sufficient data to assess the effectiveness of its child protection service interventions and does not know whether they lead to improved outcomes

DCJ does not collect sufficient information to understand whether its child protection risk and safety interventions are effective in protecting children from abuse, neglect, exploitation, and violence.

DCJ is the sole entity with responsibility to make assessments of children after there has been a child protection report. After a child has been reported, DCJ caseworkers conduct a range of assessments of the child and family context, to determine whether the child is at risk of significant harm. If DCJ caseworkers determine that a child is ‘in need of care and protection,’ Section 34 of the Care Act requires DCJ to ‘take whatever action is necessary to safeguard and promote the safety, welfare and well-being of the child or young person’, including ‘providing, or arranging for the provision of, support services for the child or young person and his or her family’.

DCJ has limited measures to assess the effectiveness of its service interventions. DCJ monitors and reports on the number of children who are re-reported within 12 months after receiving a DCJ caseworker intervention. However, DCJ does not monitor or report any comparative data that would potentially demonstrate the effectiveness of its service interventions. For example, DCJ does not collate and publish data on re-report rates of children who do not receive a DCJ service intervention. This comparative data would give DCJ greater understanding about the effectiveness of its service interventions.

In addition, DCJ’s re-report data does not differentiate between re-reports of children that are substantiated, from those that are not. Children can be re-reported for a variety of reasons. Some re-reports are of children who are not at increased risk of significant harm. Therefore, the current re-report data is a limited measure of the effectiveness of DCJ’s service interventions.

DCJ does not collect data or compare outcomes based on the kinds of services that are accessed by children and families. For example, DCJ does not report on instances where families were denied service interventions because support services were full, or did not exist in their region. DCJ does not collect data or report on children who were taken into out of home care in areas where there were no available services to support the family.

DCJ caseworkers can support families by making referrals to drug and alcohol rehabilitation services, family violence services, parenting support courses, or mental health services. It is not known whether families receive services that are relevant to their needs. Some services are offered as additional DCJ caseworker support, some are NGO funded support packages, some offer therapeutic interventions, and some are provided via external government agency services, such as NSW Health. Support services are highly rationed in NSW, and many families engaged in the child protection system do not have access to them.

Limited outcomes data and reporting means that DCJ cannot demonstrate how its actions and service interventions are reducing risks and harms to children, and promoting their safety, welfare, and wellbeing in line with the Care Act.

While child protection reports have significantly increased over the past ten years, around 40% do not meet the threshold for suspected abuse and neglect to warrant a response

The overall number of child protection reports received by the Helpline has increased significantly over the past ten years. Reports to the Helpline ensure that children at risk of significant harm come to the attention of DCJ, but around 40% of reports do not meet the threshold of abuse and neglect to warrant a child protection report and response from child protection caseworkers. DCJ has finite resources, and responding to reports that do not require intervention reduces the capacity of DCJ to effectively respond to children who are at risk of significant harm.

In 2022–2023, the Helpline received 404,611 concern reports, an increase of over 60% since 2012–2013 when there were 246,173 reports. Between 2012–2013 and 2017–2018, reports grew slowly, then increased rapidly for three following years up until 2021. While the number of Helpline reports fell in 2021–2022, this reduction was partly due to a drop in reports by teachers during COVID school closures, and was not maintained in 2022–2023.

DCJ attributes the rapid growth in child protection reports to increasing awareness amongst mandatory reporters about their statutory responsibilities to report, along with the introduction of the online reporting option. Mandatory reporters include medical practitioners, psychologists, teachers, social workers, and police officers. These personnel are legally required to report children that they suspect are at risk of significant harm. In one 3-month period from April to June 2021 there were over 40,000 reports from mandatory reporters that did not meet the threshold that activates a statutory child protection response from DCJ caseworkers. The assessment of these reports consumes significant resources, costing over $4 million during the three month period in 2021, which equates to over $15 million per annum.

In 2010, Child Wellbeing Units were established so that mandatory reporters from Education, Police and Health could be assisted in child protection reporting. The units were established in response to recommendations made by the Wood Special Commission of Inquiry into Child Protection Services. They aimed to reduce the number of reports to the Helpline and to support mandatory reporters to assist children and families to receive an appropriate response. DCJ managers advise that the units are underutilised, and mandatory reporters continue to submit reports to the Helpline. The Child Wellbeing Units have not successfully reduced the overall number of reports to the Helpline.

DCJ advised that it is evaluating the Child Wellbeing Units and is developing new guidance for mandatory reporters that aims to address the culture of over-reporting.

Exhibit 7 shows the ten years of Helpline reports from 2012–2013 to 2022–2023.

DCJ does not collate or analyse its service referral data, and as a result, is unable to commission relevant services for families engaged in the child protection system

DCJ lacks data to understand the supply and demand requirements for therapeutic services across the child protection system. DCJ does not collect or report aggregate data about service referrals for children and families, nor does DCJ report data about service uptake across its Districts. DCJ does not collect the necessary information to plan for commissioned therapeutic services, or to fill its service gaps. DCJ does not know whether its funded services are competing with, or complimentary to, services funded by other agencies.

DCJ is required to monitor its therapeutic service interventions in order to comply with the objectives and principles of the Care Act. The Care Act requires that ‘appropriate assistance is rendered to parents and other persons … in the performance of their child-rearing responsibilities in order to promote a safe and nurturing environment’, and that any intervention ‘must … promote the child’s or young person’s development.

DCJ does not collect reliable data on the success of service referrals after a child has been identified as being at risk of significant harm. DCJ does not collect information or report on the uptake and outcomes of its referrals where there is a low to intermediate risk of significant harm to the child or young person. In most cases, DCJ does not know whether children or families received a therapeutic service after a referral. The uptake of referrals is voluntary, and families may decide that they do not want to access therapeutic services. DCJ does not routinely record data about the numbers of families that decline services.

DCJ does not collect data on instances where a referral was needed but not made because there was no available service in the District or there were no available places in the service. It is well known within DCJ that therapeutic services are lacking in regional and remote NSW. These include poor access to paediatricians and adolescent psychiatrists, disability assessors, mental health services, alcohol and other drug rehabilitation services, and domestic violence services.

Over the past five years, there is no evidence that DCJ has conducted an assessment of the statewide therapeutic service needs of children and families in NSW, or matched its statewide service profile to these needs through the targeted commissioning of therapeutic services. There has been a lack of system stewardship to ensure there is equity of service access for children and families in all Districts.

In each District, Commissioning and Planning units undertake market analyses at the point when programs are due for recommissioning, generally every three to five years. This market analysis includes an assessment of the availability of local services. There is no consistency in how this work is done across the Districts. While the purpose of District-level, market analysis is to identify gaps and opportunities for services, we did not find evidence of services being newly commissioned where gaps were identified.

District-level Commissioning and Planning units conduct some assessment of the demographics of the local area, as well as information about socio-economic characteristics, and expected population growth. For example, one DCJ District identified that their population is expected to grow by 33% by 2031. This means that more contracts for family preservation places will be needed. Another District identified that they do not have culturally appropriate services. However, the contracts for this District are in place for at least three years, so the District cannot provide the required service profile for local families.

While DCJ is taking some steps to arrange an expanded service profile, the efforts are piecemeal. Different programs are managed and commissioned across different parts of DCJ. For example, one District has developed a localised partnership with the Ministry of Health, but DCJ has not developed a state-wide Memorandum of Understanding with NSW Health to give priority access to all children engaged in the statutory child protection system.

In 2015, the Independent Review of Out of Home Care in New South Wales recommended that DCJ ‘establish local cross-agency boards in each … district to provide local advice, and commission services in line with its priorities and defined outcomes.’ In response, DCJ developed a program known as Their Futures Matter. In 2020, the NSW Audit Office’s assessed this program and found that DCJ had not established any cross-agency boards with the power to commission services. At the time of this audit, in 2024, there is no evidence that DCJ has created cross-agency boards.

DCJ advises that, in future, it plans to issue extra contracts to increase the number of intensive therapeutic care services. DCJ is using data on the locations of children in emergency out of home care placements as part of its needs analysis. The process includes mapping the service system across the State. DCJ’s work to date, has identified a lack of intensive therapeutic care places in Western NSW. The lack of services in Western NSW impacts on the ability of DCJ to keep Aboriginal children on their traditional country, and connected to family and kin.

DCJ is using District-level data in its future-focused recommissioning for family preservation services. DCJ advises that, commencing in 2024, the agency will identify family support service requirements by matching data on instances of risk of significant harm to children by category of harm, and assess service availability at the District level. This audit has not received evidence that the work has begun.

DCJ lacks an integrated performance management system to collect, collate, and compare data about the effectiveness of NGO providers or the outcomes of child support programs

DCJ does not have an integrated performance management system to manage its many programs and contracts with NGO service providers. DCJ advises that at March 2024, it had 1,816 active contracts in its contract management system. DCJ has multiple reporting systems for its different program streams, with information on early intervention programs provided through a different information technology system than the system that is used for out of home care placements. Central program teams do not have good oversight of historical data or trends.

Until 2022, data related to DCJ’s Family Preservation Program was collected separately from each NGO provider, via quarterly spreadsheets. There was no consistency in the ways in which the data was collated or analysed. This means that DCJ does not know how many families entered the Brighter Futures program in each District, even though contracts were issued at a District level and over 7,000 families entered Brighter Futures program in 2018–2019, 2019–2020 and 2020–2021. DCJ does not have a statewide view of the location or effectiveness of this, or any of its other family preservation services.

Contracts with NGOs for out of home care contain service volume requirements, for example a minimum number of children in out of home care each year. Contracts also include performance measures and financial penalties for underperformance. Underperformance includes failure to notify DCJ about out of home care placement changes within contracted time periods. Due to problems with NGOs accessing the ChildStory system, DCJ does not collect reliable data on out of home care placements provided by NGOs and therefore DCJ is not able to issue financial penalties.

DCJ has also failed to deliver expected outcomes from the Human Services Dataset. The dataset was recommended by the 2015 Independent Review of Out of Home Care, and approved by the NSW Government in August 2016. The aim of the dataset was to bring together a range of service demand data in order to prioritise support for the most vulnerable children and families. It was intended to deliver whole-of-system reform that would lead to improved outcomes for children and families with the highest needs.

The dataset brings together 27 years of data, and over seven million records about children, young people, and families. The records contain de-identified information about all NSW residents born on or after 1 January 1990 (the Primary Cohort) and their relatives such as family members, guardians, and carers (the Secondary Cohort). The Independent Review of Out of Home Care recommended that the dataset include information about the service requirements of the most vulnerable families. This recommendation has not been implemented to date. The Human Services Dataset does not contain records about the service interventions made by NGOs, and has minimal child protection and out of home care placement data.

DCJ’s package-based funding system has not been successful in tailoring services to children in out of home care

When a child is transferred to an NGO for out of home care services, DCJ provides the NGO with relevant funding packages to support the child. NGOs receive different funding packages according to the care needs of the child. Some packages relate to the placement of the child, whether it be a foster care placement, or an intensive therapeutic care placement for children with complex needs. Other packages relate to the permanency goals for each child. These goals can include restoring the child to their parents, establishing the child in long-term foster care, or supporting the child through an adoption process. Each funding package is based on an average cost for the different service type.

While the funding packages are attached to individual children, in practice, NGOs can allocate this funding flexibly. NGOs can integrate the funds from the packages into their global budgets and use the funds for a range of activities. The package-based system that was intended to deliver tailored services to individual children in out of home care, is not being implemented in the ways it was intended.

NGOs do not receive funding for administrative or management costs. They are not funded for supporting Children’s Court work, or the recruitment of new foster carers. NGOs calculate how much they need for these different activities, and use the required funds from funding packages and other sources of income.

DCJ does not collect data from NGOs to determine the nature of the services that were delivered to the child against the funding for each package. In fact, NGOs are not required to report on the expenditure of package funds in relation to any outcomes that relate to the child’s health, wellbeing, cultural, or educational needs.

An external evaluation of the permanency support package system was completed in 2023. It found that children receiving permanency support packages did not achieve better outcomes than children in a control group who did not receive them. This indicates that the package-based system has not achieved its objective to shift the out of home care system from a bed per night payment model, to a child-centred funding model, aimed at supporting safety, wellbeing, and permanency in out of home care.

DCJ’s contract arrangements for NGO funding are overly complex and administratively burdensome

NGO recipients of package-based funding must liaise with separate DCJ contract managers for the different types of funding packages they receive. Within each DCJ District, a range of contract managers have oversight of the different package types – including the packages for out of home care placements, and for the family preservation program. In addition, many NGOs have contracts in more than one DCJ District. This means that NGOs must liaise with a number of different contract managers and operational teams across different units in multiple DCJ Districts. NGOs advise that the time spent navigating the DCJ system reduces the time they can spend actively supporting children and families.

NGOs report that DCJ District personnel can vary in their preferred communication styles and channels. Some District staff prefer email contact, others prefer phone calls, and some prefer service requests that are entered into ChildStory. NGOs must adapt to these different styles depending on the District.

DCJ Districts also vary in the processes that NGOs must follow to have a child’s needs reassessed. This is a routine process, but some Districts take three months to consider and approve a reassessment, while others complete the process more rapidly. If a child is reassessed as requiring a higher category of support, DCJ does not back-pay any increased allowances. This is regardless of the time during which the NGO has provided the child with increased services. In these Districts, NGOs must carry the financial burden for the time it takes for re-assessment approval processes.

The NSW Procurement Policy Framework includes an objective of ‘easy to do business’. This includes a requirement to pay suppliers within specific timeframes, and recommends that government agencies should limit contract length and complexity.

An external evaluation of the package-based system found that that the funding packages are complex and administratively burdensome, and that DCJ Districts have different models and approaches to implementing them. As a result, a child and family living in one District could receive very different care from a child in another District. In 2023, DCJ advised that it is considering the recommendations of the evaluation with the aim of operationalising relevant system reforms, while not increasing the administrative burden on NGOs.

Exhibit 16 shows the multiple stages that NGOs must navigate in DCJ’s complex, contract environment.

DCJ’s case management system lacks an effective business to business interface with NGO partners, and has not produced data on key deliverables

DCJ’s case management system promised a single entry point for NGOs to interact with DCJ. In 2017, DCJ commenced the rollout of ChildStory, its new case management system, at a cost of more than $130 million. While the ChildStory system has become an important repository for information about children in the child protection system, it has failed to deliver on some of its key intended functionalities. ChildStory does not provide an integrated business to business system interface with commissioned NGOs where they can record information about children and families in their care.

Most of the ChildStory system is locked off to NGOs, meaning that NGOs cannot use it as a case management system. NGO personnel must enter data into their own client information systems before manually replicating any required data into the ChildStory system. Until June 2022, NGO staff lost access to ChildStory if they did not log onto the system for a three month period, and staff had to reapply for access, increasing the administrative burden on some NGO personnel.

The lack of an integrated business to business interface between DCJ’s ChildStory and the NGO case management systems, has vastly increased levels of administrative handling for all parties, and frequently results in mismatched data between DCJ and NGOs. The process for NGOs to correct data errors in ChildStory requires contact with DCJ, and the process can be protracted. NGOs advise that they spend significant time on complex data reconciliation processes and that these processes have financial implications. In some instances, NGOs are asked to repay contract ‘underspends’ as a result of DCJ data errors.

The lack of system interface between DCJ and NGOs has been a lost opportunity to produce and report NGO trend data on a wide range of metrics. While some data is manually entered by NGOs into ChildStory Partner, and some systemwide data produced, it is only available for a limited number of key performance indicators. For example, it was intended that ChildStory would be used to collect and collate information about the status and wellbeing of children. According to DCJ, this has not been possible, as the system does not have the functionality to collate data from questionnaires or instruments that assess child wellbeing.

Given that many of the smaller NGO data systems have limited sophistication and functionality, the failure of ChildStory to become a case management system for all NGOs, means they are not able to produce trend data on a wider range of metrics. The inability to collate key data from all NGO service providers limits the statewide data that is available for service planning.

Until 2022−2023, DCJ did not contribute all required data to a national, publicly-reported dataset on child protection. The Australian Institute for Health and Wellbeing (AIHW) collates data from Australian states and territories every year. Child protection information is published on the AIHW website and provided to the Productivity Commission for the annual Report on Government Services. Since 2014−2015, AIHW requested that all states and territories provide anonymised child-level data for reporting and research purposes. DCJ did not provide this requested child-level data until 2022−2023. In previous years, DCJ provided the AIHW with aggregated data tables that lacked some of the required information.

ChildStory has not been effective for the contract management of NGOs and commissioned services. The system cannot be used to report and generate information about NGO contract activity, nor can it be used to make payments to NGOs.

Caseworkers advise that they spend significant time updating the case management system, limiting the time they have for child and family visits

DCJ has not quantified the amount of time that staff spend entering information and updating records. While DCJ completed a time and motion study on caseworker activity in 2021, the study did not include information on the time it takes for caseworkers to enter data for individual tasks. The DCJ caseworkers who were interviewed for this audit, advised that they spend a large proportion of their total working week entering data into the case management system, rather than visiting families or providing phone support to families.

DCJ’s ChildStory system does not display all of the summary information that caseworkers need in order to be efficient and effective in their role. For example, triage caseworkers need to know when a report was made to the Helpline, in order to meet the statutory period for response of 28 days after the report was received. This information is not shown in the triage transfer list and is only visible by clicking into case notes for each child, one at a time.

ChildStory does not contain accurate information about decisions made by frontline staff. Caseworkers are required to choose a reason when they close a child protection case. Reasons can include that the family was referred to an external service. There is no field for a caseworker to indicate that a case was closed because the child protection report related to a person who was external to the family. ChildStory does not have a case closure field to record that the parents were protective in instances when a child was at risk from someone outside the home. These cases are closed with the reason ‘No capacity to allocate’, resulting in inaccurate management reporting. This incorrect record keeping can be problematic for the family. It can mean that if the child is re-reported, there may be unnecessary interventions by DCJ in future.

DCJ advises that ChildStory is not being used to its full functionality and that District DCJ Offices have created arrangements that increase the administrative burden on staff. For example, in some Districts before a caseworker can submit an approval request in ChildStory to the relevant Director, the caseworker must attach an email with the same Director’s written approval. DCJ managers advise that ChildStory is not being used in ways that would allow for efficient approvals of ‘out of guidelines’ expenses. It is not known whether this is a training deficit, or related to another matter.

Up until recently, DCJ’s information management system did not have functionality to record and collate information about the service needs of children and families. DCJ advises that in 2022, a referral function was added to ChildStory. While DCJ advise that this functionality is being used for referrals to family preservation services, there is no evidence that caseworkers are using the function, or that referral data is collated and reported. Prior to July 2022, decisions to refer a child or family to therapeutic services were recorded in individual ChildStory case notes, and could not be extracted and reported as trend data.

Some Districts have developed local monitoring systems to track vacancies in local family preservation and targeted early intervention services. These local initiatives go some way to improving the planning for child protection services responses at the local level, but they are yet to be systematised.

DCJ advises that it is developing a service vacancy dashboard and it is due to be rolled out to all Districts in late 2023. In order for service information to be visible to DCJ staff, NGO partner agencies will need to regularly update their service vacancy information in the dashboard. Initially DCJ will collect data on which families were referred to services, and NGOs will be expected to enter information on attendance at program sessions at a later date.

DCJ has management reporting systems to track activity and outputs for child protection work, however some key metrics are missing

DCJ’s interactive internal dashboards effectively report against an agreed performance framework that measures caseworker activity. This provides DCJ managers with caseworker progress against targets such as seeing new children and families within specified timeframes. Managers can drill into the dashboard data to see individual cases and the caseworkers behind the numbers. This assists managers in allocating new cases to their frontline staff. While DCJ managers advise that they use the dashboards on a daily or weekly basis, they raised concerns that dashboards did not account for staff vacancies or new recruits who cannot carry a full caseload.

DCJ dashboards do not allow managers to focus on groups of children who are at greater risk of harm, or on children who require a tailored service. This limits the effectiveness of DCJ’s response. While Aboriginal children are identified on most internal dashboards, there are gaps in the identification of Aboriginal children, especially at the early Helpline assessments of child protection reports and at the initial caseworker assessment of child safety and risk. There is no indication in DCJ’s system to show whether a family has experienced intergenerational removal, despite these families needing a specific trauma-informed response. Children from Culturally and Linguistically Diverse (CALD) backgrounds are not reported clearly on dashboards and refugee children are not flagged.

Children and parents with disability are not identified accurately in ChildStory and are not reported on dashboards. The Disability Royal Commission found that parents with disability are over-represented in all stages of the child protection system, and that they are more likely to have their children removed from their care. The Commission found that child protection agencies are less likely to try to place children back in the care of parents with disability.

DCJ data is stored in a Corporate Information Warehouse, which combines child protection data and data about children in out of home care. This information is sourced from ChildStory. The Corporate Information Warehouse also includes staffing data, and contract management data from the Contracting Online Management System. The Warehouse is updated every night to ensure that management reports and dashboards are current. However, some key datasets are not included in the Warehouse, such as the Helpline report backlog, which means that the DCJ Executive does not have easy visibility of Helpline workload or delays in responding to electronic reports.

DCJ’s external dashboards provide limited public transparency about child protection and out of home care activity. Until early 2024 the dashboards did not show the numbers of children in emergency out of home care. In addition, the main quarterly and annual dashboards do not show the average time that children have been in out of home care. 

External reporting is managed by DCJ’s Insights Analysis and Research directorate, known as FACSIAR. In addition to quarterly and annual dashboards reporting key statistics, FACSIAR hosts monthly seminars presenting research findings aimed at improving caseworker practice. The seminars are well attended by DCJ and NGO caseworkers. FACSIAR also maintains a public evidence hub summarising research papers and evaluations.

While regular quantitative data is necessary for day-to-day management purposes, it is not sufficient to understand the experience and outcomes of children in out of home care. In order to deliver additional insights, DCJ has invested in a long-term study of children in out of home care through the Pathways of Care Longitudinal Study. This study follows children who entered care in NSW for the first time between May 2010 and October 2011 and includes data from external sources such as Medicare data, health and education records, and youth offending data. DCJ has used this data for research studies on topics such as outcomes for children with disability in out of home care, and to assist caseworkers in working with children and families through Evidence to Action notes.

DCJ’s system for requesting out of home care placements is ineffective, resulting in multiple unsuccessful requests to NGOs to place children

DCJ does not have a centralised system where its NGO service providers can indicate that they are able to take on new children requiring out of home care. There are almost 50 providers of out of home care services across the State, but no consolidated database showing that there are foster carers who are able to take on new children by location.

DCJ uses a system (known as the broadcast system) to notify NGOs that it needs a foster care placement or another placement type for a child. The number of placement broadcasts has increased from around 450 per month in 2018–2019, to over 1200 per month in 2022–2023, even though the number of children in out of home care has not risen during this timeframe.

Exhibit 17 shows the monthly numbers of children that were ‘broadcast’ to NGOs as requiring out of home care placements from July 2018 to June 2023.

Appendix one – Response from entities

Appendix two – DCJ Organisational Structure for Child Protection

Appendix three – Child protection flowchart from Family is culture review report 2019

Appendix four – About the audit

Appendix five – Performance auditing

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #394 - released 6 June 2024

What this report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2023.

Findings

Internal control trends

The proportion of control deficiencies identified as high-risk this year decreased to 4.5% (8.2% in 2022).

Repeat findings of control deficiencies represent 38% of all findings (48% in 2022). 

Information technology

Over half of the agencies reviewed have deficiencies in managing user access to their information systems. Over a third of agencies had deficiencies in their controls over privileged user accounts within their information technology environments. 

Cyber security

Over 80% of assessments for maturity levels against the NSW Cyber Security Policy have reported one or more self-assessed Mandatory Requirements are not practiced on a consistent and regular basis.

Essential Eight cyber controls have not improved, and they need to. 

Governance framework

Deficiencies were noted in agencies' governance and risk management frameworks, namely: outdated risk management policies, lack of risk appetite statements, and internal audit functions not being externally evaluated.  

Payroll and work health and safety (WHS)

Overtime expenses increased by 40% between 2020 and 2023, compared to salaries and wages which increased by 16% over the same period.

Five agencies have WHS policies that do not reflect current WHS regulations.

Recommendations

Several important recommendations were made for agencies to prioritise efforts to improve cyber security controls and cyber resilience measures.

It was also recommended that agencies periodically review their risk management maturity and implement action plans, and ensure their WHS policies and procedures reflect current legislation requirements including the need to manage psychosocial risks.

Internal controls are processes, policies and procedures that help agencies to:

• operate effectively and efficiently
• produce reliable financial reports
• comply with laws and regulations
• support ethical government.

This chapter outlines the overall trends for agency controls and governance issues, including the number of audit findings, the degree of risk those deficiencies pose to the agency, and a summary of the most common deficiencies found across agencies.

For consistency and comparability, we have adjusted the 2022 results to incorporate additional audit findings that were reported after the date of the Internal controls and governance 2022 report. Therefore, the 2022 figures will not necessarily align with those reported in our 2022 report.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agency controls to manage key financial systems.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' cyber security.

Governance in the context of the NSW public service refers to the structures, processes, and mechanisms by which government departments and agencies are held to account when they make decisions and implement policies and programs in the service of the public interest. It also includes the principles and practices that guide how these agencies work together.

This chapter outlines our audit observations, conclusions and recommendations from our review of agencies' governance frameworks and practices, with consideration of NSW Treasury issued policies and best practices. It focuses on two key areas: governance arrangements and risk management.

This chapter outlines our audit observations, conclusions and recommendations arising from our review of agencies' payroll controls and management of work health and safety (WHS).

What this report is about

Results of the Health portfolio of agencies' financial statement audits for the year ended 30 June 2023.

The audit found

Unmodified audit opinions were issued for all Health portfolio agencies' financial statements. 

The number of monetary misstatements increased in 2022–23, driven by key accounting issues, including the first-time recognition of paid parental leave and plant and equipment fair value adjustments. 

The key audit issues were 

NSW Health identified errors regarding the recognition and calculation of long service leave entitlements for employees with ten or more years of service that had periods of part time service in the first ten years, resulting in prior period restatements. 

Comprehensive revaluation of buildings at the Graythwaite Charitable Trust found errors in the previous year's valuation, resulting in prior period restatements. 

New parental leave legislation increased employee liabilities for portfolio agencies. The Ministry of Health corrected the consolidated financial statements to record parental leave liabilities for all agencies within the Health portfolio.   

A repeat high-risk issue relates to processing time records by administrators that have not been reviewed prior to running the pay cycle.   

Thirty per cent of reported issues were repeat issues. 

The audit recommended 

Portfolio agencies should ensure any changes to employee entitlements are assessed for their potential financial statements impact under the relevant Australian Accounting Standards. 

Portfolio agencies should address deficiencies that resulted in qualified reports on:   

• the design and operation of shared service controls
• prudential non-compliance at residential aged care facilities.

This report provides Parliament and other users of the Health portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Health portfolio of agencies (the portfolio) for 2023.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines observations and insights from our financial statement audits of agencies in the Health portfolio.  

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What this report is about

Results of the Premier and Cabinet portfolio of agencies' financial statement audits for the year ended 30 June 2023.

What we found

Unqualified audit opinions were issued for all Premier and Cabinet portfolio agencies.

What the key issues were

The Administrative Arrangements Orders, effective 1 July 2023, changed the name of the Department of Premier and Cabinet to the Premier's Department and transferred parts of Department of Premier and Cabinet to The Cabinet Office.

The number of monetary misstatements identified in our audits decreased from 15 in 2021–22 to 12 in 2022–23.

The total number of management letter findings across the portfolio of agencies increased from ten in 2021–22 to 20 in 2022–23.

Thirty per cent of all issues were repeat issues. The most common repeat issues related to deficiencies in controls over financial reporting.

What we recommended

Portfolio agencies should:

• ensure any changes to employee entitlements are assessed for their potential financial statements impact under the relevant Australian Accounting Standards
• prioritise and address internal control deficiencies identified in Audit Office management letters.

This report provides Parliament and other users of the Premier and Cabinet portfolio of agencies’ financial statements with the results of our audits, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet portfolio of agencies (the portfolio) for 2023.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet portfolio.

Appendix one – Early close procedures

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Click here for the Easy English version of the report highlights

The Easy English version of the report highlights is intended to meet the needs of some people with lower literacy skills, some people with an intellectual disability, and some people from different cultural backgrounds.

The Easy English document is not the final audit report that has been prepared and tabled in NSW Parliament under s.38EB and s.38EC of the Government Sector Audit Act 1983. It should not be relied on or quoted from as the final audit report.

What this report is about

This audit assessed whether NSW Trustee and Guardian is effectively delivering public guardianship and financial management services in line with legislative requirements and standards.

What we found

NSW Trustee and Guardian is delivering guardianship and financial management services in line with its broad legal authority.

However, NSW Trustee and Guardian does not have sufficient oversight to ensure that its services are consistent with legislative principles which aim to promote positive client outcomes.

The agency's governance and practices could be better supported by relevant training and guidance to account for the diversity of its clients.

It does not track the actual costs of service delivery, the quality of services or client experiences and key findings from previous reviews remain unresolved.

Government funding for public guardianship services and direct financial management services for low-wealth clients has not kept pace with the growth in clients.

There is a risk that some fee-paying clients are unknowingly subsidising others.

NSW Trustee and Guardian has applied additional funding to increase frontline staff, but gaps in monitoring and IT system constraints create a risk that it will not address service quality issues, nor be able to demonstrate the impact of this new funding.

What we recommended

We recommended that NSW Trustee and Guardian:

• Broaden governance arrangements to enable input to key decisions from people with lived experience, relevant peak bodies and representatives of diverse communities.
• Implement mechanisms to seek feedback on the effectiveness and quality of services from clients under orders.
• Assess staff competency and implement regular training in effectively serving clients with disability, dementia, mental illness, cognitive impairments and other factors relevant to decision-making incapacity.
• Implement a risk-based quality framework to assess whether public guardian and financial management decisions are in line with policy and the legislative principles.
• Improve data collection and monitoring to track performance, the costs to serve, and client outcomes and report on these publicly.

NSW Trustee and Guardian is a NSW Government agency in the Stronger Communities cluster. It supports the NSW Trustee and the Public Guardian in the exercise of their statutory functions. It is accountable to the relevant Minister, the Attorney General.

The legislative responsibilities for the Public Guardian and the NSW Trustee are provided in separate statutes (NSW Trustee and Guardian Act 2009 and Guardianship Act 1987). Together, these establish a number of functions and services that NSW Trustee and Guardian as an agency is expected to deliver, including:

• acting as executor and administrator of deceased estates
• acting as a trustee responsible for managing trust property on behalf of another person or organisation in line with the trust terms
• drafting Will, Power of Attorney and Enduring Guardianship instruments, and educating the community about the importance of having these documents in place
• making decisions on behalf of people under guardianship or financial management orders as a guardian or a financial manager 'of last resort', or overseeing and assisting private financial managers.

This audit focuses on the last of these - NSW Trustee and Guardian's financial management and guardianship services.

The NSW Trustee and the Public Guardian are appointed to provide direct financial management and/or guardianship services (respectively) to over 13,300 people (as at 30 June 2022) who are deemed by a court or tribunal unable to manage their own affairs. This involves making decisions for people under a relevant court or tribunal order, within the terms of the order. The court or tribunal order enables the appointed guardian or financial manager to make decisions on behalf of the person for whom the order is made. The legislation allows the financial manager or guardian to exercise all the functions of the person under management has or would have were they not incapable of managing for themselves. From a legal perspective, these 'substitute decisions' have the same effect as if the person had made the decision themselves. While the legal presumption is that a person has capacity to care for themselves and manage their own affairs, a financial manager or guardian can be appointed without the person's consent if the court or tribunal finds the person does not have relevant decision-making capacity.

There can be a range of factors that impact on a person's decision-making capacity, including cognitive impairment, intellectual disability, dementia, mental illness and addiction. Guardianship (of both the person and their estate) developed as a response, through European and English law over hundreds of years. In Australia, it was a function of the Supreme Court of NSW before the establishment of government agencies. What is now known as substitute decision-making can sometimes be referred to as a 'protective' function because:

• it relates to decisions or actions that need to be taken, which the person under an order cannot take because they are incapable of managing their own affairs
• due to this lack of competence, the person may be disadvantaged in the conduct of their affairs (for example, their money or property may be dissipated or lost, they may enter agreements unwisely or they may be at risk of abuse or exploitation)
• substitute decisions must be made in the best interests of the person on whose behalf they are made.

An alternative model is 'supported decision-making'. This refers to processes and approaches that assist people with impaired decision-making capacity to exercise their autonomy and legal capacity by supporting them to make decisions. This approach seeks to give effect to the will and preferences of the person requiring decision-making support wherever possible, including decisions involving risk. There has been a longstanding legal and community push for Australian guardianship and administration systems to move from substituted to supported decision-making. However, the legislation in New South Wales provides for 'best interests' substitute decision-making and this is the framework against which we have audited NSW Trustee and Guardian.

The Public Guardian and the NSW Trustee may be appointed as substitute decision makers by the NSW Civil and Administrative Tribunal (NCAT) and the Supreme Court. The NSW Trustee may also be appointed by the Mental Health Review Tribunal for financial management orders only.¹ They are intended to be appointed as a 'last resort' when there is no one willing or suitable to fill the role, or there is significant family conflict regarding decision-making for the person. The Public Guardian and the NSW Trustee cannot refuse to accept a court or tribunal appointment to administer an order for guardianship or financial management.

Public Guardian decisions cover healthcare, lifestyle, accommodation and/or medical decisions such as where a person should live (for example: at home, in an aged care facility or disability group home), what disability or other support services they receive, who can have access to them (for example: through establishing visiting schedules between conflicting family members) and consent to the use of restrictive practices on the advice of independent experts (for example: seclusion, chemical restraint such as anti-psychotic medication, environmental restraints such as limiting access to knives).

Under a financial management order where the NSW Trustee is appointed as financial manager, the NSW Trustee carries out such functions as securing and collecting assets, income and entitlements, paying expenses, debts and designing budgets, investing financial assets, lodging tax returns and paying maintenance for dependents, taking or defending legal proceedings and managing other financial and legal affairs for the person. This is referred to as direct financial management.

A court or tribunal may appoint a private financial manager, such as a family member, friend, private trustee company or other commercial provider. Where a private manager is appointed, the NSW Trustee provides authorisation and directions to the private manager and oversees their performance. As at 30 June 2022, over 6,200 people had private managers.

As an agency, the majority of NSW Trustee and Guardian's overall revenue is from fees (including for services outside the scope of the audit, such as will preparation) and investments. The remainder is from the NSW Government as funding for non-commercial services including guardianship services and subsidised financial management services for low-wealth clients. Public guardian clients do not pay fees. Financial management clients pay fees, but these are subsidised where the client does not have capacity to pay full fees. NSW Trustee and Guardian is considered a self-funded agency by NSW Treasury definitions.

Demand for financial management and guardianship services, and the complexity of clients' circumstances for these services, has grown over the last decade. In November 2020, NSW Trustee and Guardian advised the Attorney General that it had run an operating deficit in 2019–20 driven by an increase in non/low fee paying customers and an increase in the complexity of matters. NSW Trustee and Guardian advised the Attorney General that government funding was no longer meeting the full cost of guardianship services, and of direct financial management services for people with low balances. NSW Trustee and Guardian's analysis had identified a shortfall in government funding of $8.4 million in 2019–20 that was expected to increase over the forward estimates. A working group was established with officers from NSW Trustee and Guardian, NSW Treasury and the Department of Communities and Justice to advise the government on options for improving the financial sustainability of NSW Trustee and Guardian overall.

NSW Trustee and Guardian subsequently received a funding boost of $41.5 million across four years in the 2021–22 State Budget. NSW Trustee and Guardian applied the majority of the budget enhancement to recruit approximately 120 new roles mostly in financial management and guardianship services.

The objective of this audit was to assess whether NSW Trustee and Guardian is effectively delivering guardianship and financial management services in line with legislative requirements and relevant non-legislative standards. These include a legislative duty to observe certain principles when exercising the relevant legislative functions, including to: give primary consideration to clients’ welfare and interests, restrict their freedom of decision and action as little as possible, take account of their views, and encourage their self-reliance.

The audit was guided by three questions:

• Does NSW Trustee and Guardian align its service delivery with its legislative functions and principles, and relevant standards?
• Does NSW Trustee and Guardian drive and monitor performance to give effect to its legislative functions and principles, and relevant standards?
• Has NSW Trustee and Guardian effectively planned the use of additional funding to improve service delivery and adherence to its legislative functions and principles, and relevant standards?

The audit review period was the five years between 1 July 2017 - 30 June 2022.

Throughout this report:

• 'client' refers to a person who is under a guardianship order and/or whose estate is under financial management, for whom the Public Guardian and/or the NSW Trustee is appointed to act or responsible to oversee their private financial manager
• 'financial management' refers to clients under financial management orders (direct and private financial management) and/or the services provided by NSW Trustee and Guardian to these clients or their private managers
• 'guardianship' refers to clients under guardianship orders where the Public Guardian is appointed, and/or the services provided by the Public Guardian to these clients
• 'frontline staff' refers to the staff responsible for engagement with, and decision-making for, clients and private managers (titled client service officers, senior client service officers and principal client service officers in NSW Trustee and Guardian)
• Aboriginal refers to the First Nations peoples of the land and waters now called Australia and includes Aboriginal and Torres Strait Islander peoples.

NSW Trustee and Guardian has only recently identified measures to track the performance of its financial management and guardianship services

Between 2021 and 2022, NSW Trustee and Guardian developed new divisional key performance indicators which aim to track the quality of services delivered to people under financial management and guardianship orders. These measures are reported quarterly to the organisation's executive leadership team. The divisions have started measuring some of these new performance indicators, but many will require changes to consumer engagement processes and IT legacy systems to collect additional data. At this stage it is unclear when these necessary changes will occur, and when relevant data will begin to be collected and analysed.

Before 2021, NSW Trustee and Guardian measured the performance of some of its financial management and guardianship operational processes. While these operational measures identify whether it is fulfilling some of its legislative functions, they are predominantly activity measures and do not inform on the quality of decision-making for direct financial management or guardianship clients, or on client experiences and outcomes.

Operational performance targets and measures have only recently been developed and used to centrally track the time elapsed between requests for certain decisions and the decisions made or relevant actions taken by relevant frontline staff. Baseline data for these measures show that target timeframes are not close to being met for minor medical decisions for people under guardianship orders, or for first customer payment, and redirection of income for people who are directly financially managed.

NSW Trustee and Guardian has proactively developed a benefits realisation framework to monitor the expected benefits from the additional funding received in 2021–22

NSW Trustee and Guardian has developed a benefits realisation framework to monitor the expected benefits from the additional funding (and other elements of the budget bid including increased fees and business improvements for efficiencies). This is not a requirement imposed by NSW Treasury, but a proactive step taken by NSW Trustee and Guardian to account for the use of the additional funding and to attempt to identify its impacts.

The benefits realisation framework includes interim and preferred measures, which reflect the things that can be tracked with existing data, and those that require new data collection, respectively. The measures are underpinned by separate program logics for direct and private financial management, and guardianship, and an overall investment logic. 'Logics' articulate the inputs, outputs and short/medium/long term outcomes expected from a project, program or investment, as well as the underpinning assumptions about how desired changes will occur (the 'mechanism' or 'theory' of change).

The targets and measures for NSW Trustee and Guardian's benefits realisation framework are the responsibility of the organisational divisions delivering guardianship and financial management services. The baseline data against which change will be measured is 30 June 2021, as the budget enhancement funds were allocated from 1 July 2021. The audit has been provided with baseline data, but not first year results (covering 2021–22) and as such, cannot assess whether any progress has been made towards the targets.

The benefits realisation framework may not provide the information needed to demonstrate the effectiveness of the budget enhancement

A lack of available data and limited measures in the benefits realisation framework may mean NSW Trustee and Guardian will not be able to meaningfully assess the impact of the additional funding.

The 22 measures in the benefits realisation framework across guardianship and financial management functions are predominantly monitoring activity and outputs which seek to track staff caseloads, the number of decisions made, the timeliness of key actions/tasks, and annual consumer engagements.

There is one service quality outcome measure: that customers, family and carers report an improved experience. The metrics for this measure will initially be monitored using the whole-of-government customer satisfaction measurement survey administered by the Department of Customer Service, until such time as other additional sources are developed. The whole-of-government survey is built around six core customer commitments relating to respondents' experiences with government services and staff - that they are: 'easy to access, act with empathy, respect my time, explain what to expect, resolve the situation and engage the community'. It is not clear whether or how the whole-of-government survey targets and engages people with impaired decision-making capacity or accessible communication needs.

Some measures in the NSW Trustee and Guardian benefits realisation framework do not yet have targets set, such as the ratio of the number of clients to the number of guardians or financial managers. Many relate to compliance with internal operational policies.

One interim measure for a direct financial management service indicator is 'increased personalised face-to-face consultations by phone or virtually'. It is intended to be replaced with the preferred measure 'ensure the client’s story is understood by staff and systems by consulting stakeholders and adding to the client’s story in the IT system'. However, the interim measure would better align with the national standards regarding regular and accessible engagement (discussed above).

A lack of availability of key data to track the preferred measures was identified by NSW Trustee and Guardian as an enterprise risk, and issues with existing data collected were identified early on, including that:

• data can be entered into systems inconsistently by staff
• current systems mask some issues – for example, a task can be completed within internal timeframes but not reflect the actual waiting time of consumers
• current systems cater to measuring outputs rather than service quality.

IT system improvements are slated in order to allow data to be collected to inform on preferred measures, but these depend on capital funding that has not yet been secured. At the time of writing, data sources were yet to be identified for three of the 22 measures, and NSW Trustee and Guardian did not have staff trained and available to run and analyse data for the benefits realisation framework.

The mechanisms of change and the underlying assumptions in the program and investment logics are also not clearly articulated in the benefits realisation framework, and nor is the underpinning evidence (such as from earlier reviews, research or pilots, or experiences elsewhere). Identifying and evidencing these would give some confidence that the assumptions are sound and that the mechanisms of change will operate as expected (for example, that a decline in frontline staff caseloads will translate into more time spent on individual matters, and improved service quality).

Given these limitations in measures, data collection and logics, there is a risk that the benefits realisation framework may not provide the performance and impact evidence necessary to assess the effectiveness of the budget enhancement, or to justify further additional funding in the future.

NSW Trustee and Guardian cannot track its financial management and guardianship service performance over time

NSW Trustee and Guardian's operational performance activity measures have changed over the audit review period, which limits NSW Trustee and Guardian’s ability to identify whether it has sustained or improved performance in its guardianship and financial management services over time.

NSW Trustee and Guardian has consistently tracked the number and themes of complaints about financial management and guardianship services, which do provide some insight into service quality and experiences. However, this is an incomplete measure as people under financial management and guardianship orders are a more vulnerable cohort than other NSW Trustee and Guardian customers and may require support to make a complaint. There is also a structural power imbalance between clients and their guardian or financial manager which may dissuade clients and their stakeholders from raising concerns. Therefore, it is not clear whether the numbers and themes in complaints received are representative of broader experiences.

Appendix one – Response

Appendix two – Client characteristics

Appendix three – Easy English, Easy Read and Plain English formats

Appendix four – Financial management fees

Appendix five – NSW Trustee and Guardian Common Funds

Appendix six – About the audit

Appendix seven – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #379 - released 18 May 2023

What the report is about

This audit assessed how effectively NSW government agencies procure and manage consultants. It examined the role of the NSW Procurement Board and NSW Procurement (a unit within NSW Treasury) in supporting and monitoring agency procurement and management of consultants.

The audit used four sources of data that contain information about spending on consultants by NSW government agencies, including annual report disclosures and the State's financial consolidation system (Prime). It also reviewed a sample of consulting engagements from ten NSW government agencies.

What we found

Our review of a selection of consulting engagements indicates that agencies do not procure and manage consultants effectively.

We found most agencies do not use consultants strategically and do not have systems for managing or evaluating consultant performance. We also found examples of non-compliance with procurement rules, including contract variations that exceeded procurement thresholds.

NSW Procurement has made improvements to the information available about spending on consultants, including additional analysis and reporting. However, there is no single data source that accurately captures spending on consultants.

Our analysis of data on whole-of-government spending on consultants, drawn from agency annual reports, indicates that four large professional services firms accounted for about a quarter of consultancy expenditure from 2017–18 to 2021–22. This concentration increases strategic risks, including over-reliance on a limited number of providers and potential reduction in the independence of advice.

It is also highly unlikely that NSW government agencies will meet the government's 2019 policy commitment to reduce consultancy expenses by 20% each year, over four years, from 2019–20. NSW Treasury advised that to implement this commitment, agency budgets were reduced in Prime in line with the savings targets. However, actual spending on consulting in NSW Treasury's Reports on State Finances 2020–21 and 2021–22 was almost $100 million higher than the savings targets over the first three years since 2019–20.

What we recommended

The report made seven recommendations which aim to improve:

• the quality and transparency of data on spending on consultants
• monitoring of strategic risks and agency compliance with procurement and recordkeeping rules
• agencies' strategic use of consultants, including evaluation and knowledge retention.

Between 2017–18 and 2021–22, NSW government agency annual reports disclosed total spending of around $1 billion on consultants across more than 10,000 engagements. More than 1,000 consulting firms provided services to NSW government agencies during this period. Consulting is a classification of professional services that is characterised by giving advice or recommendations on a specific issue. The NSW Procurement Board Direction PBD-2021-03 defines a consultant as a person or organisation that provides 'recommendations or professional advice to assist decision-making by management'. PBD-2021-03 notes that the advisory nature of the work of consultants is the main factor that distinguishes them from other providers of professional services.

The NSW Procurement Board is responsible for setting procurement policy, issuing directions to support policies, and monitoring and reporting on agency compliance with policies and directions. NSW Procurement, a division within NSW Treasury, supports agencies to comply with the NSW Procurement Board’s policies and directions. A 'devolved governance model' is used for procurement in New South Wales. This means the heads of government entities that are covered by the NSW Procurement Board’s directions are responsible for managing the entity's procurement, including managing risks, reporting and ensuring compliance, in line with procurement laws and policies.

This audit assessed how effectively NSW government agencies procure and manage consultants. It assessed the role of the NSW Procurement Board and NSW Procurement in supporting and monitoring agency procurement and management of consultants. It also reviewed a sample of consulting engagements from ten NSW government agencies to examine how agencies procured, managed and reported on their use of consultants. The ten NSW government agencies were:

• NSW Treasury
• Department of Communities and Justice
• Department of Customer Service
• Department of Education
• Department of Planning and Environment
• Department of Premier and Cabinet
• Department of Regional NSW
• Infrastructure NSW
• Sydney Metro
• Transport for NSW

There are four different sources of data that contain information about spending on consultants by NSW government agencies: the State's financial consolidation system (Prime), disclosures of spending on consultants in agency annual reports, and two systems operated by NSW Procurement (the Business Advisory Services (BAS) dashboard and Spend Cube). Each of these data sources serves a different purpose, and collects and categorises information differently. None of these provide a complete source of data on spending on consultants, either in their own right or collectively.

NSW Treasury considers Prime to be the 'source of truth' on consulting expenditure across the NSW public sector. An account within Prime records recurrent spending on consultants, but this account does not include capital expenditure (that is, spending on consultants that has from a financial reporting perspective been 'capitalised' to a project on the balance sheet). As the State's financial consolidation system, Prime captures all financial information. However, capitalised consulting expenditure is recorded within various capital accounts, and is not identifiable within these accounts. While this is appropriate for accounting purposes, it means that the Prime account that records recurrent consulting expenditure does not reflect total spending on consultants by NSW government agencies. We used the data in Prime to assess whether NSW government agencies met the NSW Government's policy commitment—stated before the 2019 election and costed by the Parliamentary Budget Office—to reduce recurrent expenditure on consulting by 20% each year, over four years, from 2019–20. We did this because, while the Prime account for recurrent consulting expenditure does not reflect all spending on consultants, it does capture the recurrent spending that was subject to the policy commitment.

Most NSW government agencies are required by legislation to disclose spending on consultants (as defined in PBD-2021-03) in their annual reports. These disclosures include both recurrent and capital expenditure. For consulting engagements that cost more than $50,000, the disclosures also provide itemised information, including the names of the individual projects and the consultants used. While this data is more complete than Prime because it includes capital expenditure, it also has some gaps. Some entities are excluded from public reporting requirements on consultant use. For example, NSW Local Health Districts (LHD) are not required to produce annual reports, and the Ministry of Health does not include LHD consulting expenditure in its annual report.¹ We used annual report disclosure data to report on total expenditure on consultants, and the concentration of suppliers of consulting services to NSW government agencies.

The BAS dashboard and Spend Cube are systems created by NSW Procurement to collect information about spending on suppliers of professional services. This includes consultants, but also includes other professional services providers. The systems were not designed for reporting on spending on consulting as defined in PBD-2021-03. However, we have used this data to assess specific aspects of NSW Procurement's monitoring of the use of consultants by NSW government agencies.

In 2018, we conducted an audit titled 'Procurement and reporting of consultancy services'. This assessed how 12 NSW government agencies complied with procurement requirements and how NSW Procurement supported the functions of the NSW Procurement Board. The 2018 audit found that none of the 12 agencies fully complied with NSW Procurement Board Directions on the use of consultants and that the NSW Procurement Board was not fully effective in overseeing and supporting agencies’ procurement of consultants. Specific findings from the 2018 audit included: 

• Agencies applied the definition of consultant inconsistently, which affected the accuracy of reporting on consultancy expenditure.
• There was inadequate guidance from NSW Procurement for agencies implementing the procurement framework, with a need for additional tools, automated processes, and other internal controls to improve compliance.
• NSW Procurement had insufficient data for effective oversight of procurement and did not publish any data on the procurement of consultancy services by NSW government agencies.

This chapter outlines our findings on the role of NSW Procurement in overseeing the use of consultants by NSW government agencies.

This chapter outlines our findings on the use of consultants by the ten NSW government agencies that were included in this audit.

Appendix one – Responses from auditees

Appendix two – About the audit

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #378 - released 2 March 2023

What the report is about

This audit assessed the effectiveness of the NSW Rural Fire Service (RFS) and local councils in planning and managing equipment for bushfire prevention, mitigation, and suppression.

What we found

The RFS has focused its fleet development activity on modernising and improving the safety of its firefighting fleet, and on the purchase of new firefighting aircraft.

There is limited evidence that the RFS has undertaken strategic fleet planning or assessment of the capability of the firefighting fleet to respond to current bushfire events or emerging fire risks.

The RFS does not have an overarching strategy to guide its planning, procurement, or distribution of the firefighting fleet.

The RFS does not have effective oversight of fleet maintenance activity across the State, and is not ensuring the accuracy of District Service Agreements with local councils, where maintenance responsibilities are described.

What we recommended

1. Develop a fleet enhancement framework and strategy that is informed by an assessment of current fleet capability, and research into appropriate technologies to respond to emerging fire risks.
2. Develop performance measures to assess the performance and capabilities of the fleet in each RFS District by recording and publicly reporting on fire response times, fire response outcomes, and completions of fire hazard reduction works.
3. Report annually on fleet allocations to RFS Districts, and identify the ways in which fleet resources align with district-level fire risks.
4. Develop a strategy to ensure that local brigade volunteers are adequate in numbers and appropriately trained to operate fleet appliances in RFS Districts where they are required.
5. Establish a fleet maintenance framework to ensure regular update of District Service Agreements with local councils.
6. Review and improve processes for timely recording of fleet asset movements, locations, and maintenance status.

This audit assessed how effectively the NSW Rural Fire Service (the RFS) plans and manages the firefighting equipment needed to prevent, mitigate, and suppress bushfires. This audit also examined the role of local councils in managing bushfire equipment fleet assets. Local councils have vested legal ownership of the majority of the land-based firefighting fleet, including a range of legislated responsibilities to carry out fleet maintenance and repairs. The RFS has responsibilities to plan and purchase firefighting fleet assets, and ensure they are ready for use in response to fires and other emergencies.

This report describes the challenges in planning and managing the firefighting fleet, including a confusion of roles and responsibilities between the RFS and local councils in relation to managing certain land-based rural firefighting fleet – a point that has been made in our Local Government financial audits over several years. This role confusion is further demonstrated in the responses of the RFS and local councils to this audit report – included at Appendix one.

The lack of cohesion in roles and responsibilities for managing rural firefighting vehicles increases the risk that these firefighting assets are not properly maintained and managed, and introduces a risk that this could affect their readiness to be mobilised when needed.

While the audit findings and recommendations address some of the operational and organisational inefficiencies in relation to rural firefighting equipment management, they do not question the legislative arrangements that govern them. This is a matter for the NSW Government to consider in ensuring the fleet arrangements are fit for purpose, and are clearly understood by the relevant agencies.

The NSW Rural Fire Service (hereafter the RFS) is the lead combat agency for bushfires in New South Wales, and has the power to take charge of bushfire prevention and response operations anywhere in the State. The RFS has responsibilities to prevent, mitigate and suppress bushfires across 95% of the State, predominantly in the non-metropolitan areas of New South Wales. Fire and Rescue NSW is responsible for fire response activity in the cities and large townships that make up the remaining five per cent of the State.

The RFS bushfire fleet is an integral part of the agency's overall bushfire risk management. The RFS also uses this fleet to respond to other emergencies such as floods and storms, motor vehicle accidents, and structural fires. Fleet planning and management is one of a number of activities that is necessary for fire mitigation and suppression.

The Rural Fires Act 1997 (Rural Fires Act) imposes obligations on all landowners and land managers to prevent the occurrence of bushfires and reduce the risk of bushfires from spreading. Local councils have fire prevention responsibilities within their local government areas, principally to reduce fire hazards near council owned or managed assets, and minor roads.

The RFS is led by a Commissioner and is comprised of both paid employees and volunteer rural firefighters. Its functions are prescribed in the Rural Fires Act and related legislation such as the State Emergency Rescue Management Act 1989. The RFS functions are also described in Bush Fire Risk Management Plans, the State Emergency Management Plan, District Service Agreements, and RFS procedural documents. Some of the core responsibilities of the RFS include:

• preventing, mitigating, and suppressing fires across New South Wales
• recruiting and managing volunteer firefighters in rural fire brigades
• purchasing and allocating firefighting fleet assets to local councils
• establishing District Service Agreements with local councils to give the RFS permissions to use the fleet assets that are vested with local councils
• carrying out fleet maintenance and repairs when authorised to do so by local councils
• inspecting the firefighting fleet
• supporting land managers and private property owners with fire prevention activity.

In order to carry out its legislated firefighting functions, the RFS relies on land-based vehicles, marine craft, and aircraft. These different firefighting appliance types are referred to in this report as the firefighting fleet or fleet assets.

RFS records show that in 2021 there were 6,345 firefighting fleet assets across NSW. Most of the land-based appliances commonly associated with firefighting, such as water pumpers and water tankers, are purchased by the RFS and vested with local councils under the Rural Fires Act. The vesting of firefighting assets with local councils means that the assets are legally owned by the council for which the asset has been purchased. The RFS is able to use the firefighting assets through District Service Agreements with local councils or groups of councils.

In addition to the land-based firefighting fleet, the RFS owns a fleet of aircraft with capabilities for fire mitigation, suppression, and reconnaissance during fire events. The RFS hires a fleet of different appliances to assist with fire prevention and hazard reduction works. These include aircraft for firefighting and fire reconnaissance, and heavy plant equipment such as graders and bulldozers for hazard reduction. Hazard reduction works include the clearance of bush and grasslands around major roads and protected assets, and the creation and maintenance of fire trails and fire corridors to assist with fire response activity.

The RFS is organised into 44 RFS Districts and seven Area Commands. The RFS relies on volunteer firefighters to assist in carrying out most of its firefighting functions. These functions may include the operation of the fleet during fire response activities and training exercises, and the routine inspection of the fleet to ensure it is maintained according to fleet service standards. Volunteer fleet inspections are supervised by the RFS Fire Control Officer.

In 2021 there were approximately 73,000 volunteers located in 1,993 rural fire brigades across the State, making the RFS the largest volunteer fire emergency service in Australia. In addition to brigade volunteers, the RFS has approximately 1,100 salaried staff who occupy leadership and administrative roles at RFS headquarters and in the 44 RFS Districts.

Local councils have legislative responsibilities relating to bushfire planning and management. Some of the core responsibilities of local councils include:

• establishing and equipping rural fire brigades
• contributing to the Rural Fire Fighting Fund
• vested ownership of land-based rural firefighting equipment
• carrying out firefighting fleet maintenance and repairs
• conducting bushfire prevention and hazard reduction activity.

The objective of this audit was to assess the effectiveness of the RFS and local councils in planning and managing equipment for bushfire prevention, mitigation, and suppression. From the period of 2017 to 2022 inclusive, we addressed the audit objective by examining whether the NSW RFS and local councils effectively:

• plan for current and future bushfire fleet requirements
• manage and maintain the fleet required to prevent, mitigate, and suppress bushfires in NSW.

This audit did not assess:

• the operational effectiveness of the RFS bushfire response
• the effectiveness of personal protective equipment and clothing
• the process of vesting of rural firefighting equipment with local councils
• activities of any other statutory authorities responsible for managing bushfires in NSW.

As the lead combat agency for the bushfire response in NSW, the RFS has primary responsibility for bushfire prevention, mitigation, and suppression.

Three local councils were selected as case studies for this audit, Hawkesbury City Council, Wagga Wagga City Council and Uralla Shire Council. These case studies highlight the ways in which the RFS and local councils collaborate and communicate in rural fire districts.

The RFS has not made significant changes to the size or composition of the firefighting fleet in the past five years and does not have an overarching strategy to drive fleet development

Since 2017, the RFS has made minimal changes to its firefighting fleet volumes or vehicle types. The RFS is taking a fleet renewal approach to fleet planning, with a focus on refurbishing and replacing ageing firefighting assets with newer appliances and vehicles of the same classification and type. While the RFS has adopted a fleet renewal approach, driven by its Appliance Replacement Program Guide, it does not have a strategy or framework to guide its future-focused fleet development. There is no document that identifies and analyses bushfire events and risks in NSW, and matches fleet resources and fleet technologies to meet those risks. The RFS does not have fleet performance measures or targets to assess whether the size and composition of the fleet is meeting current or emerging bushfire climate hazards, or fuel load risks across its 44 NSW Fire Districts.

The RFS fleet currently comprises approximately 4,000 frontline, operational firefighting assets such as tankers, pumpers, and air and marine craft, and approximately 2,300 logistical vehicles, such as personnel transport vehicles and specialist support vehicles. Of the land-based firefighting vehicles, the RFS has maintained a steady number of approximately 3,800 tankers and 65 pumpers, year on year, for the past five years. This appliance type is an essential component of the RFS land-based, firefighting fleet with capabilities to suppress and extinguish fires.

Since 2017, most RFS fleet enhancement activity has been directed to upgrades and the modernisation of older fleet assets with new safety features. There is limited evidence of research into new fleet technologies for modern firefighting. The RFS fleet volumes and fleet types have remained relatively static since 2017, with the exception of the aerial firefighting fleet. Since 2017, the RFS has planned for, and purchased, six additional aircraft to add to the existing three aircraft in its permanent fleet.

While the RFS has made minimal changes to its fleet since 2017, in 2016 it reduced the overall number of smaller transport vehicles, by purchasing larger vehicles with increased capacity for personnel transport. The consolidation of logistical and transport vehicles accounts for an attrition in fleet numbers from 7,058 in 2016, to 6,315 in 2017 as shown in Exhibit 2.

The firefighting fleet management system is not always updated in a timely manner due to insufficient RFS personnel with permissions to make changes in the system

The RFS uses a fleet management system known as SAP EAM to record the location and status of firefighting fleet assets. The system holds information about the condition of the firefighting fleet, the home location of each fleet asset, and the maintenance, servicing, and inspection records of all assets. The RFS uses the system for almost all functions related to the firefighting fleet, including the location of vehicles so that they can be dispatched during operational exercises or fire responses.

Staff at RFS Headquarters are responsible for creating and maintaining asset records in the fleet management system. RFS District staff have limited permissions in relation to SAP EAM. They are able to raise work orders for repairs and maintenance, upload evidence to show that work has been done, and close actions in the system.

RFS District staff are not able to enter or update some fleet information in the system, such as the location of vehicles. When an RFS District receives a fleet appliance, it cannot be allocated to a brigade until the location of the asset is accurately recorded in the system. The location of the asset must be updated in the SAP EAM system by staff at RFS Headquarters. District staff can request system support from staff at RFS Headquarters to enter this information. At the time of writing, the position responsible for updating the fleet management system at RFS Headquarters was vacant, and RFS District personnel reported significant wait times in response to their service requests.

The RFS conducts annual audits of SAP EAM system information to ensure data is accurate and complete. RFS staff are currently doing data cleansing work to ensure that fleet allocations are recorded correctly in the system.

Communication between brigades, local councils and the RFS needs improvement to ensure that fleet information is promptly updated in the fleet management system

RFS brigade volunteers do not have access to the fleet management system. When fleet assets are used or moved, volunteers report information about the location and condition of the fleet to RFS District staff using a paper-based form, or by email or phone. Information such as vehicle mileage, engine hours, and defects are all captured by volunteers in a logbook which is scanned and sent to RFS District staff. RFS District staff then enter the relevant information into the fleet management system, or raise a service ticket with RFS Headquarters to enter the information.

Brigade volunteers move fleet assets for a range of reasons, including for fire practice exercises. If volunteers are unable to report the movement of assets to RFS District staff in a timely manner, this can lead to system inaccuracies. Lapses and backlogs in record keeping can occur when RFS staff at district offices or at Headquarters are not available to update records at the times that volunteers report information. A lack of accurate record keeping can potentially impact on RFS operational activities, including fire response activity.

Brigade volunteers notify RFS District staff when fleet appliances are defective, or if they have not been repaired properly. District staff then enter the information into the fleet management system. The inability of volunteers to enter information into the system means they have no visibility over their requests, including whether they have been approved, actioned, or rejected.

Local councils are responsible for servicing and maintaining the firefighting fleet according to the Rural Fires Act, but this responsibility can be transferred to the RFS through arrangements described in local service agreements. Council staff record all fleet servicing and maintenance information in their local systems. The types of fleet information that is captured in local council records can vary between councils. RFS staff described the level of council reporting, and the effectiveness of this process, as 'mixed'.

Councils use different databases and systems to record fleet assets, and some councils are better resourced for this activity than others

Firefighting fleet information is recorded in different asset management systems across NSW. Each council uses its own asset management system to record details about the vested fleet assets. All three councils that were interviewed for this audit had different systems to record information about the fleet. In addition, the type of information captured by the three councils was varied.

Local councils have varying levels of resources and capabilities to manage the administrative tasks associated with the firefighting fleet. Some of the factors that impact on the ability of councils to manage administrative tasks include: the size of the council; the capabilities of the information management systems, the size of the staff team, and the levels of staff training in asset management.

Uralla Shire Council is a small rural council in northern NSW. This council uses financial software to record information about the firefighting fleet. While staff record information about the condition of the asset, its replacement value, and its depreciation, staff do not record the age of the asset, or its location. Staff manually enter fleet maintenance information into their systems. Uralla Shire Council would like to purchase asset maintenance software that generates work orders for fleet repairs and maintenance. However, the council does not have trained staff in the use of asset management software, and the small size of the fleet may not make it financially worthwhile.

The Hawkesbury City Council uses a single system to capture financial and asset information associated with the firefighting fleet. Hawkesbury is a large metropolitan council located north-west of Sydney, with a relatively large staff team in comparison with Uralla Shire Council. The Hawkesbury City Council has given RFS District staff access to their fleet information system. RFS District staff can directly raise work orders for fleet repairs and maintenance through the council system, and receive automated notifications when the work is complete.

Two of the three audited councils report that they conduct annual reviews of fleet assets to assess whether the information they hold is accurate and up-to-date.

More than half of the fleet maintenance service agreements between the RFS and local councils have not been reviewed in ten years, and some do not reflect local practices

Local councils have a legislated responsibility to service, repair, and maintain the firefighting fleet to service standards set by the RFS. Councils may transfer this responsibility to the RFS through District Service Agreements. The RFS Districts are responsible for ensuring that the service agreements are current and effective.

The RFS does not have monitoring and quality control processes to ensure that service agreements with local councils are reviewed regularly. The RFS has 73 service agreements with local councils or groups of councils. Sixty-three per cent of service agreements had not been reviewed in the last ten years. Only four service agreements specify an end date and, of those, one agreement expired in 2010 and had not been reviewed at the time of this audit.

The RFS does not have a framework to ensure that service agreements with local councils reflect actual practices. Of the three councils selected for audit, one agreement does not describe the actual arrangements for fleet maintenance practices in RFS Districts. The service agreement with Hawkesbury City Council specifies that the RFS will maintain the firefighting fleet on behalf of council when, in fact, council maintains the firefighting fleet. The current agreement commenced in 2012, and at the time of writing had not been updated to reflect local maintenance practices.

When District Service Agreements are not reviewed periodically, there is a risk that neither local councils nor the RFS have clear oversight of the status of fleet servicing, maintenance, and repairs.

RFS District Service Agreements set out a requirement that RFS and local councils establish a liaison committee. Liaison committees typically include council staff, RFS District staff, and RFS brigade volunteers. While service agreements state that liaison committees must meet periodically to monitor and review the performance of the service agreement, committee members determine when and how often the committee meets.

RFS District staff and staff at the three audited councils are not meeting routinely to review or update their service agreements. At Wagga Wagga City Council, staff meet with RFS District staff each year to report on activity to fulfil service agreement requirements. Uralla Shire Council staff did not meet routinely with RFS District staff before 2021. When liaison committees do not meet regularly, there is a risk that the RFS and local councils have incorrect or outdated information about the location, status, or condition of the firefighting fleet. Given that councils lack systems to track and monitor fleet locations, regular communication between the RFS and local councils is essential.

The RFS has not established processes to ensure that local councils and RFS District personnel meet and exchange information about the fleet. Of the three councils selected for this audit, one council had not received information about the number, type, or status of the fleet for at least five years, and did not receive an updated list of appliances until there was a change in RFS District personnel. This has impacted on the accuracy of council record keeping. Councils do not always receive notification about new assets or information about the location of assets from the RFS, and therefore cannot reflect this information in their accounting and reporting.

RFS area commands audit system records to ensure fleet inspections occur as planned, but central systems are not always updated, creating operational risks

RFS District staff are required by the Rural Fires Act to ensure the firefighting fleet is inspected at least once a year. Regular inspections of the fleet are vital to ensure that vehicles are fit-for-purpose and safe for brigade volunteers. Inspections are also fundamental to the operational readiness and capability of RFS to respond to fire incidents.

RFS Area Command personnel conduct audits of fleet maintenance data to ensure that fleet inspections are occurring as planned. These inspections provide the RFS with assurance that the fleet is being maintained and serviced by local council workshops, or third-party maintenance contractors.

Some RFS Districts run their own fleet management systems outside of the central management system. They do this to manage their fleet inspection activity effectively. Annual fleet inspection dates are programmed by staff at RFS Headquarters. Most of the inspection dates generated by RFS Headquarters are clustered together and RFS Districts need to separate inspection times to manage workloads over the year. Spreading inspection dates is necessary to avoid exceeding the capacity of local council workshops or third party contractors, and to ensure that fleet are available during the bushfire season.

The fleet inspection records at RFS Headquarters are not always updated in a timely manner to reflect actual inspection and service dates of vehicles. District staff are not able to change fleet inspection and service dates in the central management system because they do not have the necessary permissions to access the system. The usual practice is for RFS District staff to notify staff at RFS Headquarters, and ask them to retrospectively update the system. As there is a lag in updating the central database, at a point in time, the actual inspection and service dates of vehicles can be different to the dates entered in the central fleet management system.

Fleet inspection and maintenance records must be accurately recorded in the central RFS management system for operational reasons. RFS Headquarters personnel need to know the location and maintenance status of fleet vehicles at all times in order to dispatch vehicles to incidents and fires. The RFS fleet management system is integrated with a new Computer Aided Dispatch System. The Computer Aided Dispatch System assigns the nearest and most appropriate vehicles to fire incidents. The system relies on accurate fleet locations and fleet condition information in order to dispatch these vehicles.

There is a risk that RFS Headquarters' systems do not contain accurate information about the location and status of vehicles. Some may be in workshops for servicing and repair, while the system may record them as available for dispatch. As there are many thousands of fleet vehicles, all requiring an annual service and inspection, a lack of accurate record keeping has wide implications for State fire operations.

RFS is currently exploring ways to improve the ways in which fleet inspections are programmed into the fleet management system.

RFS provides funds to councils to assist with maintaining the firefighting fleet, but does not receive fleet maintenance cost information from all local councils

Each year the RFS provides local councils with a lump sum to assist with the cost of repairing and maintaining the firefighting fleet. This lump sum funding is also used for meeting the costs of maintaining brigade stations, utilities, and other miscellaneous matters associated with RFS business.

In 2020–21, the RFS provided NSW local councils with approximately $23 million for maintenance and repairs of appliances, buildings, and utilities. Ninety councils were provided with lump sum funding in 2021, receiving on average $257,000. The amounts received by individual councils ranged from $56,200 to $1,029,884.

Some councils provide itemised repairs and maintenance reports to RFS District staff, showing the work completed and the cost of that work. However, not all councils collect this information or provide it to the RFS. Local councils collect fleet maintenance information in their local council systems. In some cases, the responsibility for fleet maintenance is shared across a group of councils, and not all councils have oversight of this process.

The RFS has not taken steps to require local councils to provide itemised maintenance costings for the firefighting fleet. Thus, the RFS does not have a clear understanding of how local councils are spending their annual fleet maintenance funding allocations. The RFS does not know if the funding allocations are keeping pace with the actual cost of repairing and maintaining the fleet.

RFS District staff report that funding shortfalls are impacting on the prioritisation of fleet servicing and maintenance works in some council areas. When fleet servicing and maintenance is not completed routinely or effectively, there is a risk that it can negatively impact the overall condition and lifespan of the vehicle. Poor processes in relation to fleet maintenance and repair risk impacting on the operational capabilities of the fleet during fire events.

The timeliness and effectiveness of fleet servicing and maintenance is affected by resource levels in RFS Districts and local councils

Local councils have a legislated responsibility to service and maintain the firefighting fleet to the service standards set by the RFS. Fleet maintenance is usually done by the entity with the appropriate workshops and resources, and the maintenance arrangements are described in District Service Agreements. RFS District staff conduct annual inspections to ensure that the firefighting fleet has been serviced and maintained appropriately, and is safe for use by brigade volunteers. If the fleet has not been maintained to RFS service standards or timelines, RFS District staff may work with local councils to support or remediate these works.

The effectiveness of this quality control activity is dependent on relationships and communication between the RFS Districts and local councils. While some RFS staff reported having positive relationships with local councils, others said they struggled to get fleet maintenance work done in a timely manner. Some councils reported that funding shortfalls for fleet maintenance activity was impacting on the prioritisation of RFS fleet maintenance works. When fleet maintenance work is not completed routinely or effectively, it can negatively impact on the overall condition and lifespan of the vehicle. It can also reduce the capacity of the RFS to respond to fire events.

Fleet quality control activities are carried out by RFS District staff. In some of the smaller RFS Districts, one person is responsible for liaising with local councils and brigade volunteers about fleet maintenance and repairs. In the regions where resources are limited, there is less ability to maintain ongoing communication. This is impacting on fleet service and maintenance timelines and the timeliness of fleet monitoring activity.

The RFS has mutual support arrangements with agencies in NSW and interstate, though shared fleet levels are yet to be quantified

The RFS has arrangements with state, federal, and international fire authorities to provide mutual support during fire incidents. In NSW, the RFS has agreements with the three statutory authorities – Fire and Rescue NSW, the Forestry Corporation of NSW, and the NSW National Parks and Wildlife Service. The agreement with Fire and Rescue NSW provides a framework for cooperation and joint operations between the agencies. The agreements with the Forestry Corporation of NSW and the NSW National Parks and Wildlife Service describe the control and coordination arrangements for bush and grass fires across NSW. These arrangements are set out in legislation and incorporated into local Bush Fire Risk Management Plans.

The RFS has agreements with fire authorities in three of the four Australian states and territories that share a border with NSW – the Australian Capital Territory, Queensland, and South Australia. Each agreement sets out the arrangements for mutual assistance and joint operations, including arrangements for sharing aircraft. The agreement between the RFS and Victoria had lapsed. The RFS told the NSW Bushfire Inquiry that the agreement with Victoria would be finalised by June 2020. In June 2022, the RFS reported that the agreement was in the process of being finalised.

The arrangements for mutual aid from Western Australia, Northern Territory and Tasmania, are managed by the National Resource Sharing Centre. These agreements set out the arrangements for interstate assistance between Australian fire services, emergency services, and land management agencies in those states and territories.

These mutual support arrangements may assist during state-based fire events. However, when there are competing demands for resources, such as during the bushfires of 2019–2020, there can be limits on fleet availability. During the 2019–2020 fires, resources were stretched in all jurisdictions as these fires affected NSW, Victoria, and Queensland.

There are opportunities for the RFS and other NSW agencies to quantify fleet resources across the State and identify assets that can be mobilised for different fire activities. This form of fleet planning may be used to enhance surge capabilities during times of high fire activity. There are also opportunities for the RFS and other agencies to match the levels of shared assets to projected bushfire risks.

Appendix one – Responses from agencies 

Appendix two – About the audit 

Appendix three – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #376 - released 27 February 2023