What this report is about

Extreme rainfall across eastern Australia in 2021 and 2022 led to a series of major flood events in New South Wales.

This audit assessed how effectively the NSW Government provided emergency accommodation and temporary housing in response to the early 2022 Northern Rivers and late 2022 Central West flood events.

Responsible agencies included in this audit were the Department of Communities and Justice, NSW Reconstruction Authority, the former Department of Planning and Environment, the Department of Regional NSW and the Premier’s Department.

Findings

The Department of Communities and Justice rapidly provided emergency accommodation to displaced persons immediately following these flood events.

There was no plan in place to guide a temporary housing response and agencies did not have agency-level plans for implementing their responsibilities.

The NSW Government rapidly procured and constructed temporary housing villages. However, the amount of temporary housing provided did not meet the demand.

There is an extensive waitlist for temporary housing and the remaining demand in the Northern Rivers is unlikely to be met. The NSW Reconstruction Authority has not reviewed this list to confirm its accuracy.

Demobilisation plans for the temporary housing villages have been developed, but there are no long-term plans in place for the transition of tenants out of the temporary housing.

Agencies are in the process of evaluating the provision of emergency accommodation and temporary housing.

The findings from the 2022 State-wide lessons process largely relate to response activities.

Audit recommendations

The NSW Reconstruction Authority should:

• Develop a plan for the provision of temporary housing.
• Review the temporary housing waitlist.
• Determine a timeline for demobilising the temporary housing villages.
• Develop a strategy to manage the transition of people into long-term accommodation.
• Develop a process for state-wide recovery lessons learned.

All audited agencies should:

• Finalise evaluations of their role in the provision of emergency accommodation and temporary housing.
• Develop internal plans for implementing their roles under state-wide plans.

Read the PDF report

Parliamentary reference - Report number #389 - released 22 February 2024

What this report is about

Results of the financial statement audits of the public universities in NSW for the year ended 31 December 2022.

What we found

Unmodified audit opinions were issued for all ten universities.

Nine universities reported net deficits in 2022, and all showed a decline from their 2021 results.

Results were impacted by a decline in investment income and government grants.

Wage remediation provisions across the universities increased by 116% to $110 million at 31 December 2022.

Expenditure increased as universities transitioned back to face-to-face teaching with the lifting of most COVID-19 restrictions.

Revenue from overseas students decreased by 0.5% overall in 2022, although not all universities were impacted equally.

Nearly 42% of fees and charges revenue came from overseas student revenue from three countries of origin (43% in 2021).

What the key issues were

We reported 88 findings to universities on internal control deficiencies (105 in 2021).

Six high risk findings were identified (four in 2021), relating to:

• IT control deficiencies in monitoring privileged user access
• password configuration
• cyber security process improvements
• lack of security over access to EFT payment files
• the status of a university's work in assessing its liability for underpayment of staff
• inadequate review of contracts leading to incorrect accounting treatments.

Two out of 13 entities reported financial losses from cyber incidents in 2022.

Retention policies on personally identifiable information (PII) vary and universities can further reduce their PII exposure risk from cyber attack.

What we recommended

Universities should:

• conduct a comprehensive assessment of their employment agreements and historical pay practices to identify potential underpayments
• prioritise actions to address repeat findings on internal control deficiencies in a timely manner
• review their PII retention policies to ensure PII stored is limited to the entity's needs, held only for the minimum duration it is legally and operationally required, and access is strictly limited.

This report provides Parliament with the results of our financial audits of universities in New South Wales and their controlled entities in 2022, including our analysis, observations and recommendations in the following areas:

• financial reporting
• internal controls and governance
• teaching and research.

Financial reporting is an important element of good governance. Confidence and transparency in university sector decision-making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of universities in NSW for 2022.

Appropriate financial controls help to ensure the efficient and effective use of resources and administration of policies. They are essential for quality and timely decision-making.

This chapter outlines our observations and insights from our financial statement audits of NSW universities.

Our audits do not review all aspects of internal controls and governance every year. The more significant issues and risks are included in this chapter. These, along with the less significant matters, are reported to universities for management to address.

Universities' primary objectives are teaching and research. They invest most of their resources aiming to achieve quality outcomes in academia and student experience. Universities have committed to achieving certain government targets and compete to advance their reputation and their standing in international and Australian rankings.

This chapter outlines teaching and research outcomes for universities in NSW for 2022.

Appendix one – List of 2022 recommendations

Appendix two – Status of 2021 recommendations

Appendix three – Universities' controlled entities 

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This audit assessed the effectiveness of NSW Government agencies’ coordination of the response to COVID-19, with a focus on the Delta variant outbreak in the Dubbo and Fairfield Local Government Areas (LGA) between June and November 2021. We audited five agencies - the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service.

The audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

What we found

Prior to Delta, agencies developed capability to respond to COVID-19 related challenges.

However, lessons learned from prior reviews of emergency management arrangements, and from other jurisdictions, had not been implemented when Delta emerged in June 2021. As a result, agencies were not as fully prepared as they could have been to respond to the additional challenges presented by Delta.

Gaps in emergency management plans affected agencies' ability to support individuals, families and businesses impacted by restrictions to movement and gathering such as stay-at-home orders. In LGAs of concern, modest delays of a few days had a significant impact on people, especially those most vulnerable.

On 23 July 2021, the NSW Government established a cross-government coordinating approach, the Delta Microstrategy, which complemented existing emergency management arrangements, improved coordination between NSW Government agencies and led to more effective local responses.

Where possible, advice provided to government was supported by cross-government consultation, up-to-date evidence and insights. Public Health Orders were updated as the response to Delta intensified or to address unintended consequences of previous orders. The frequency of changes hampered agencies' ability to effectively communicate changes to frontline staff and the community in a rapidly evolving situation.

The NSW Government could provide greater transparency and accountability over decisions to apply Public Health Orders during a pandemic.

What we recommended

The audit made seven recommendations intended to improve transparency, accountability and preparedness for future emergency events.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (Fairfield City Council and Dubbo Regional Council) between June and November 2021.

As noted in this report, Resilience NSW was responsible for the coordination of welfare services as part of the emergency management arrangements. On 16 December 2022, the NSW Government abolished Resilience NSW.

During the audited period, Resilience NSW was tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions and it provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC was, and remains, responsible for the coordination and oversight of emergency management policy and preparedness.

Our work for this performance audit was completed on 15 November 2022, when we issued the final report to the five audited agencies. While the audit report does not make specific recommendations to Resilience NSW, it does include five recommendations to the State Emergency Management Committee. On 8 December 2022, the then Commissioner of Resilience NSW provided a response to the final report, which we include as it is the formal response from the audited entity at the time the audit was conducted.

The community of New South Wales has experienced significant emergency events during the past three years. COVID-19 first emerged in New South Wales after bushfire and flooding emergencies in 2019–20. The pandemic is now into its third year, and there have been further extreme weather and flooding events during 2021 and 2022.

Lessons taken from the experience of these events are important to informing future responses and reducing future risks to the community from emergencies.

This audit focuses on the NSW Government's response to the COVID-19 pandemic, and in particular, the Delta variant (Delta) that occurred between June and November 2021. The response to the Delta represents six months of heightened challenges for the NSW Government.

Government responses to emergencies are guided by legislation. The State Emergency and Rescue Management Act 1989 (SERM Act) establishes emergency management arrangements in New South Wales and covers:

• coordination at state, regional and local levels through emergency management committees
• emergency management plans, supporting plans and functional areas including the State Emergency Management Plan (EMPLAN)
• operations centres and controllers at state, regional and local levels.

This audit focuses on the activities of five agencies during the audit period:

• The NSW Police Force led the emergency management response and was responsible for coordinating agencies across government in providing the tactical and operational elements that supported and enhanced the health response to the pandemic. The NSW Police Force also led the compliance response which enforced Public Health Orders and included household checks on those required to isolate at home after testing positive to COVID-19. In some parts of NSW, they were supported by the Australian Defence Force in this role.
• NSW Health was responsible for leading the health response which coordinated all parts of the health system, initially to prevent, and then to manage, the pandemic.
• Resilience NSW coordinated welfare services as part of the emergency management arrangements and provided secretariat support to the State Emergency Management Committee (SEMC). The SEMC is responsible for the coordination and oversight of emergency management policy and preparedness. Resilience NSW was also tasked with supporting the needs of communities subject to stay-at-home orders or stricter restrictions.
• The Department of Customer Service (DCS) was responsible for the statewide strategic communications response.
• The Department of Premier and Cabinet (DPC) held a key role in providing policy and legal services, as well as supporting the coordination of activity across a range of functional areas and decision-making by our State’s leaders.

This audit assessed the effectiveness of NSW Government agencies’ coordination (focused on the Department of Premier and Cabinet, NSW Health, the NSW Police Force, Resilience NSW and the Department of Customer Service) of the COVID-19 response in selected Local Government Areas (LGA) (Fairfield City Council and Dubbo Regional Council) after June 2021.

The audit investigated whether:

• government decisions to apply LGA-specific Public Health Orders were supported by effective crisis management governance and planning frameworks
• agencies effectively coordinated in the communication (and enforcement) of Public Health Orders.

While focusing on the coordination of NSW Government agencies’ response to the Delta variant in June through to November 2021, the audit also considered relevant planning and preparation activities that occurred prior to June 2021 to examine how emergency management and public health responses learned from previous events.

This audit does not assess the effectiveness of other specific COVID-19 responses such as business support. It refers to the preparedness, planning and delivery of these activities in the context of supporting communities in selected LGAs. NSW Health's contribution to the Australian COVID-19 vaccine rollout was also subject to a separate audit titled 'New South Wales COVID-19 vaccine rollout' tabled in NSW Parliament on 7 December 2022. 

This audit is part of a series of audits which have been completed, or are in progress, regarding the New South Wales COVID-19 emergency response. The Audit Office of New South Wales '2022–2025 Annual Work Program' details the ongoing focus our audits will have on providing assurance on the effectiveness of emergency responses.

In this document Aboriginal refers to the First Nations peoples of the land and waters now called Australia, and includes Aboriginal and Torres Strait Islander peoples.

The COVID-19 pandemic arrived in Australia in late January 2020 as the bushfire and localised flooding emergencies were in their final stages. Between 2020 and mid-2021, agencies responded to the initial variants of COVID-19, managed a border closure with Victoria that lasted nearly four months and dealt with localised ‘flare-ups’ that required postcode-based restrictions on mobility in northern parts of Sydney and regional New South Wales. During this period, New South Wales had the opportunity to learn from events in Victoria which imposed strict restrictions on mobility across the State and the growing emergence of the Delta variant (Delta) across the Asia Pacific.

This section of the report assesses how emergency management and public health responses adapted to these lessons and determined preparedness for, and responses to, widespread community transmission of Delta in New South Wales.

The previous chapter discusses how agencies had refined the existing emergency management arrangements to suit the needs of a pandemic and describes some gaps that were not addressed. This chapter explores the first month of Delta (mid-June to mid-July 2021). It explores the areas where agencies were prepared and responses in place for the outbreak. It also discusses the impact of the gaps that were not addressed in the period prior to Delta and other issues that emerged.

NSW Health provided advice on the removal of restrictions based on up-to-date advice

The NSW Government discussed the gradual process for removing restrictions using the Doherty Institute modelling provided to National Cabinet on 10 August 2021. NSW Health highlighted the importance of maintaining a level of public health and safety measure bundles to further suppress case numbers. This was based on additional modelling from the Doherty Institute.

The Department of Regional NSW led discussion and planning around reopening with a range of proposal through August and September 2021. The Department of Premier and Cabinet and NSW Health jointly developed a paper to provide options on the restrictions when the State reached a level of 70% double dose vaccinations.

The roadmap to reopening was originally published on 9 September 2021. However, by 11 October 2021, the restrictions were relaxed when the 70% double dose threshold was reached to allow:

• up to ten fully vaccinated visitors to a home (increased from five)
• up to 30 fully vaccinated people attending outdoor gatherings (increased from 20)
• weddings and funerals limits increased to 100 people (from 50)
• the reopening of indoor pools for training, exercise and learning purposes only.

On the same day, the NSW Government announced further relaxation of restrictions once the 80% double dose threshold was reached. These restrictions were further relaxed on 8 November 2021. This included the removal of capacity restrictions to the number of visitors to a private residence, indoor pools to reopen for all purposes and density limits of one person for every two square metres, dancing allowed in nightclubs and 100% capacity in major stadia.

The NSW Government allowed workers in regional areas who received one vaccination dose to return to their workplace from 11 October 2021.

The Premier extended the date of easing of restrictions for unvaccinated people aged over 16 from 1 December to 15 December 2021.

Many agencies have undertaken reviews of their response to the Delta outbreak but a whole-of-government review has yet to be conducted

Various agencies and entities associated with the response to the Delta outbreak conducted after-action review processes. These processes assessed the achievements delivered, lessons learned and opportunities for improvement. However, a whole-of-government level review has not been conducted. This limits the New South Wales public service's ability to improve how it coordinates responses in future emergencies.

The agencies/entities that conducted reviews included:

• South West Metropolitan region, Western NSW region, Fairfield Local Emergency Management Committee (LEMC), Dubbo Local Emergency Operations Controller (LEOCON), which were collated centrally by the State Emergency Operations Centre (SEOC)
• Aboriginal Affairs NSW assessed representation and relevance of the emergency management arrangements for Aboriginal communities following the 2019 bushfires
• Resilience NSW developed case studies to capture improved practice with regard to food security and supply chains
• a community support and empowerment-focused after-action review undertaken by the Pillar 5 workstream of the Microstrategy.

Key lessons collated from the after-action reviews include:

• the impact of variation in capability across agencies on the management of key aspects of the response including welfare support and logistics
• issues with boundary differences between NSW Police Force regions, local government areas (LGA and local health districts (LHD) caused issues in delivering and coordinating services in an emergency situation 
• the need to improve relationships between state and local Government outside of acute emergency responses to improve service delivery 
• issues arising from impediments to information sharing between agencies and jurisdictions, such as:
  • timeliness and accuracy of data used to direct compliance activities
  • the impact of insufficient advance notice on changes to Public Health Orders
  • timely access to data across public sector agencies and other jurisdictions to inform decision-making, analysis and communications
  • gaps in data around ethnicity, geolocation of recent positive cases and infection/vaccination rates in Aboriginal communities.
• the lack of Aboriginal community representation on many LEMCs
• compared with the response to COVID-19 in 2020, improved coordination of communications with Culturally and Linguistically Diverse (CALD) populations with a reduction in overlapping messages and over-communication
• improved attendance from agency representatives in LEMCs, and regional emergency operations centres (REOC) to improve interagency communications, planning, capability development and community engagement issues
• deficiencies in succession planning and fatigue management practices
• the potential for REOC Welfare/Well-being subgroups to be included as part of the wider efforts to community needs during emergencies.

NSW Health commenced a whole of system review of its COVID-19 response in May 2022. At the time of writing, the completion due date for the debrief is 7 November 2022. This debrief is expected to explore:

• governance
• engagement 
• innovation and technology 
• community impact 
• workforce impact
• system impact and performance.

NSW Health is also undertaking a parallel Intra-Action Review that is focused on the public health aspects of the response with finalisation estimated for the end of November 2022. At the time of completing this performance audit report, NSW Health had not finalised these reviews and, as a result, we cannot validate their findings against our own observations.

Recent inquiries are likely to impact the governance of emergency management in New South Wales

In March 2022, the NSW Government established an independent inquiry to examine and report on the causes of, preparedness for, response to and recovery from the 2022 floods. The Flood Inquiry report made 28 recommendations, which the NSW Government supported in full or in principle. Some of the recommendations relate directly to the governance and leadership of emergency management arrangements in New South Wales. 

The State Emergency Management Committee (SEMC) will likely be involved in, and impacted by, the recommendations arising from the Flood Inquiry with potential changes to its membership and reshaping of functional areas and agencies. At the same time, the SEMC may have a role in overseeing the changes that emerge from the SEOC consolidated after-action reviews. This can also extend to ensuring local and regional bodies have incorporated the required actions. There is a risk that the recommendations from the pandemic-based after-action reviews may not be considered due to the priority of action resulting from the Flood Inquiry.

Furthermore, there is potential for the SEMC to work with NSW Health during its system-wide review. Such an approach is likely to improve preparedness for future events.

Appendix one – Response from agencies

Appendix two – Chronology 2020–2021

Appendix three – About the audit

Appendix four – Performance auditing

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

Parliamentary reference - Report number #371 - released 20 December 2022

What the report is about

In this report, we have analysed the key findings and recommendations from our audit reports over the past four years.

This analysis includes financial audits, performance audits, and compliance audits of state and local government entities that were tabled in NSW Parliament between July 2018 and February 2022.

The report is framed by recognition that the past four years have seen significant challenges and emergency events.

The scale of government responses to these events has been wide-ranging, involving emergency response coordination, service delivery, governance and policy.

The report is a resource to support public sector agencies and local government to improve future programs and activities.

What we found

Our analysis of findings and recommendations is structured around six key themes:

• Integrity and transparency
• Performance and monitoring
• Governance and oversight
• Cyber security and data
• System planning for disruption
• Resource management.

The report draws from this analysis to present recommendations for elements of good practice that government agencies should consider in relation to these themes. It also includes relevant examples from recent audit reports.

In this report we particularly call out threats to the integrity of government systems, processes and governance arrangements.

The report highlights the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

I am pleased to present the Audit Insights 2018–2022 report. This report describes key findings, trends and lessons learned from the last four years of audit. It seeks to inform the New South Wales Parliament of key risks identified and to provide insights and suggestions to the agencies we audit to improve performance across the public sector.

The report is framed by a very clear recognition that governments have been responding to significant events, in number, character and scale, over recent years. Further, it acknowledges that public servants at both state and council levels generally bring their best selves to work and diligently strive to deliver great outcomes for citizens and communities. The role of audit in this context is to provide necessary assurance over government spending, programs and services, and make suggestions for continuous improvement.

A number of the matters highlighted in this report are similar to those described in our previous Insights Report, (Performance Audit Insights: key findings from 2014–2018) specifically in relation to cyber and information security, to performance measurement, reporting and evaluation, and system and workforce planning and capability.

However, in this report we particularly call out threats to the integrity of government systems, processes and governance arrangements. We highlight the need for balanced advice to government on options and risks, for transparent documentation and reporting of directions and decisions, and for early and open sharing of information with integrity bodies and audit. Arguably, these considerations are never more important than in an increasingly complex environment and in the face of significant emergency events and they will be key areas of focus in our future audit program.

While we have acknowledged the challenges of the last few years have required rapid responses to address the short-term impacts of emergency events, there is much to be learned to improve future programs. I trust that the insights developed in this report provide a helpful resource to public sector agencies and local government across New South Wales. I would be pleased to receive any feedback you may wish to offer.

Margaret Crawford
Auditor-General for New South Wales

This report brings together a summary of key findings arising from NSW Audit Office reports tabled in the New South Wales Parliament between July 2018 and February 2022. This includes analysis of financial audits, performance audits, and compliance audits tabled over this period.

• Financial audits provide an independent opinion on the financial statements of NSW Government entities, universities and councils and identify whether they comply with accounting standards, relevant laws, regulations, and government directions.
• Performance audits determine whether government entities carry out their activities effectively, are doing so economically and efficiently, and in accordance with relevant laws. The activities examined by a performance audit may include a selected program or service, all or part of an entity, or more than one government entity. Performance audits can consider issues which affect the whole state and/or the local government sectors.
• Compliance audits and other assurance reviews are audits that assess whether specific legislation, directions, and regulations have been adhered to.

This report follows our earlier edition titled 'Performance Audit Insights: key findings from 2014–2018'. That report sought to highlight issues and themes emerging from performance audit findings, and to share lessons common across government. In this report, we have analysed the key findings and recommendations from our reports over the past four years. The full list of reports is included in Appendix 1. The analysis included findings and recommendations from 58 performance audits, as well as selected financial and compliance reports tabled between July 2018 and February 2022. The number of recommendations and key findings made across different areas of activity and the top issues are summarised at Exhibit 1.

The past four years have seen unprecedented challenges and several emergency events, and the scale of government responses to these events has been wide-ranging involving emergency response coordination, service delivery, governance and policy. While these emergencies are having a significant impact today, they are also likely to continue to have an impact into the future. There is much to learn from the response to those events that will help the government sector to prepare for and respond to future disruption. The following chapters bring together our recommendations for core elements of good practice across a number of areas of government activity, along with relevant examples from recent audit reports.

This 'Audit Insights 2018–2022' report does not make comparative analysis of trends in public sector performance since our 2018 Insights report, but instead highlights areas where government continues to face challenges, as well as new issues that our audits have identified since our 2018 report. We will continue to use the findings of our Insights analysis to shape our future audit priorities, in line with our purpose to help Parliament hold government accountable for its use of public resources in New South Wales.

Appendix one – Included reports, 2018–2022

Appendix two – About this report

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

What the report is about

This report draws together the financial impact of COVID-19 on the agencies integral to responses across the state government sector of New South Wales.

What we found

Since the COVID-19 pandemic hit NSW in January 2020, and until 30 June 2021, $7.5 billion was spent by state government agencies for health and economic stimulus. The response was largely funded by borrowings.

The key areas of spending since the start of COVID-19 in NSW to 30 June 2021 were:

• direct health response measures – $2.2 billion
• personal protective equipment – $1.4 billion
• small business grants – $795 million
• quarantine costs – $613 million
• increases in employee expenses and cleaning costs across most agencies
• vaccine distribution, including vaccination hubs – $71 million.

The COVID-19 pandemic significantly impacted the financial performance and position of state government agencies.

Decreases in revenue from providing goods and services were offset by increases in appropriations, grants and contributions, for health and economic stimulus funding in response to the pandemic.

Most agencies had expense growth, due to additional operating requirements to manage and respond to the pandemic along with implementing new or expanded stimulus programs and initiatives.

Response measures for COVID-19 have meant the NSW Government is unlikely to meet targets in the Fiscal Responsibility Act 2012 being:

• annual expense growth kept below long-term average revenue growth
• elimination of State’s unfunded superannuation liability by 2030.

This report analyses the results of our audits of the Premier and Cabinet cluster agencies for the year ended 30 June 2021.

Our preferred approach is to table the ‘Report on State Finances’ in Parliament before any other cluster report. This is because the 'Report on State Finances' focuses on the audit results and observations relating to the Total State Sector Accounts, in effect a consolidation of all government agencies. This year the 'Report on State Finances' has been delayed due to significant accounting issues being considered in the Total State Sector Accounts and which may impact the Treasury and Transport clusters.

As there are no outstanding matters relating to audits in the Premier and Cabinet cluster impacting the Total State Sector Accounts we have decided to break with normal practice and table this cluster report ahead of the ‘Report on State Finances’.

What the report is about

The results of the Premier and Cabinet cluster (the cluster) agencies' financial statement audits for the year ended 30 June 2021.

What we found

Unmodified audit opinions were issued for all Premier and Cabinet cluster agencies.

The number of monetary misstatements decreased from 49 in 2019–20 to 38 in 2020–21.

The Library Council of New South Wales corrected a prior period error of $325 million. In 2017, the council split its collection assets into six asset classes, but not the related asset revaluation reserves. To correct this error, some revaluation decrements previously recognised in asset revaluation reserves were reclassified to accumulated funds.

Eight agencies did not complete all of the mandatory early close procedures.

What the key issues were

The Premier and Cabinet cluster was impacted by three Machinery of Government (MoG) changes during 2020–21.

The changes resulted in the transfer of activities and functions in and out of the cluster and the creation of a new entity - Investment NSW.

The transferor entities continued to provide services to Investment NSW subsequent to 30 June 2021. There were no formal service level agreements in place for the provision of these services.

The New South Wales Electoral Commission (the Commission) and Sydney Opera House Trust obtained letters of financial support from their relevant Minister and/or NSW Treasury in 2020–21. The postponement of local government elections impacted the Commission's operations due to increased planned expenditure to support a COVID-safe election. Sydney Opera House Trust's ability to generate revenue was impacted due to the closure of the Concert Hall partly due to COVID-19 and planned renovations.

The number of repeated audit issues raised with management and those charged with governance increased from 22 in 2019–20 to 24 in 2020–21.

There were 47 moderate risk and 28 low risk findings identified. Of the total findings there were 24 repeat issues.

What we recommended

Investment NSW should ensure services received from other agencies are governed by service level agreements.

This report provides Parliament and other users of the Premier and Cabinet’s financial statements with the results of our audits, our observations, analysis, conclusions and recommendations in the following areas:

• financial reporting
• audit observations.

Financial reporting is an important element of good governance. Confidence and transparency in public sector decision making are enhanced when financial reporting is accurate and timely.

This chapter outlines our audit observations related to the financial reporting of agencies in the Premier and Cabinet cluster (the cluster) for 2021.

Appropriate financial controls help ensure the efficient and effective use of resources and administration of agency policies. They are essential for quality and timely decision making.

This chapter outlines our observations and insights from our financial statement audits of agencies in the Premier and Cabinet cluster.

Appendix one – Misstatements in financial statements submitted for audit

Appendix two – Early close procedures

Appendix three – Timeliness of financial reporting

Appendix four – Financial data

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

The Auditor-General for New South Wales, Margaret Crawford, released a report today examining the effectiveness of Service NSW’s handling of customers’ personal information to ensure its privacy.

The audit found that Service NSW is not effectively handling personal customer and business information to ensure its privacy. Service NSW continues to use business processes that pose a risk to the privacy of personal information. This includes the routine emailing of personal information between Service NSW service centres and other agencies, which is one of the processes that contributed to the data breach earlier this year. The audit found that previously identified risks and recommended solutions had not been implemented on a timely basis.

The Auditor-General made eight recommendations aimed at ensuring improved processes, technologies, and governance arrangements for how Service NSW handles customers’ personal information.

The Hon. Victor Dominello, MP, Minister for Customer Service, requested this audit under section 27(B)(3)(c) of the Public Finance and Audit Act 1983 following public reports in May 2020 of a cyber security attack which had led to a breach of Service NSW customer information. This audit also included the Department of Customer Service which supports Service NSW with privacy, risk and governance functions.

Service NSW was established in 2013 with the intention that it would, over time, 'become the primary interaction point for customers accessing New South Wales Government transaction services'.

Service NSW's functions are set out in the Service NSW (One stop Access to Government Services) Act 2013. This legislation allows for other NSW Government agencies to delegate to and enter into agreements with the Chief Executive Officer of Service NSW in order for Service NSW to undertake service functions for the agency.

Service NSW now has agreements with 36 NSW Government client agencies to facilitate over 1,200 types of interactions and transactions for the community.

The nature of each agreement between Service NSW and its client agencies varies. Some client agencies have delegated authority to allow Service NSW staff to conduct transactions on their behalf in the agencies' systems. Other arrangements do not include the same degree of delegation. In these cases, Service NSW provides services such as responding to enquiries and validating documents.

In addition, Service NSW conducts transactions for its own programs, such as the Seniors Card. Personal information for these programs, as well as information for customers' MyServiceNSW accounts, are stored by Service NSW on its Salesforce Customer Relationship Management (CRM) system.

In March 2020, Service NSW suffered two cyber security attacks in short succession. Technical analysis undertaken by the Department of Customer Service (DCS) concluded that these attacks resulted from a phishing exercise through which external threat actors gained access to the email accounts of 47 staff members. These attacks resulted in the breach of a large amount of personal customer information that was contained in these email accounts. See Section 1.1 for further details.

This audit is being conducted in response to a request from the Hon. Victor Dominello, Minister for Customer Service, under section 27B(3)(c) of the Public Finance and Audit Act 1983. Minister Dominello requested that the Auditor General conduct a performance audit in relation to Service NSW's handling of sensitive customer and business information.

This audit assessed how effectively Service NSW handles personal customer and business information to ensure its privacy.

It addressed the following:

• Does Service NSW have processes and governance in place to identify and manage risks to the privacy of personal customer and business information?
• Does Service NSW have policies, processes and systems in place that support the effective handling of personal customer and business information to ensure its privacy?
• Has Service NSW effectively implemented its policies, processes and systems for managing personal customer and business information?

1. Key findings

Service NSW identifies privacy risks, but the controls and processes it put in place to mitigate these privacy risks were not adequate to prevent or limit the extent of the data breach that occurred in March 2020

Service NSW’s approach to risk management is framed by its Risk Management Guideline, which defines 'privacy and compliance' as one of the key types of risk for the agency. Service NSW's enterprise risk register identifies four strategic privacy related risks. Service NSW has set out a zero level appetite for privacy risk in its risk appetite statement.

Service NSW has assessed the adequacy of its controls for privacy risks as needing improvement. To be fully effective, the Risk Management Guideline says that these controls should have a focus that is ‘largely preventative and address the root causes’.

One of the business processes that was a key contributing factor to the data breach was the emailing of personal information by Service NSW staff to client agencies.

This process had been identified as a risk prior to the breach and some steps had been put in place to mitigate the risk. In particular, staff were required to manually delete emails that contained personal information. However, these measures were ineffective in preventing the breach, as the external threat actors still gained access to 47 staff email accounts that contained a large amount of personal information.

It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches. However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information. This is expected to limit the quantity of information retained in email accounts for extended periods.

Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies. Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million customers

There are weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system. These weaknesses include deficiencies in governance of role based access, monitoring and audit of staff access, and partitioning of program specific transaction information. These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers which is stored in this system.

In addition, there is an absence of important controls to safeguard customers' privacy, such as multi factor authentication and reviewable logs of access history to their information. Such controls, when properly implemented, would enhance the control that customers are able to exercise over their personal information.

A privacy impact assessment conducted on Service NSW’s Salesforce CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi factor authentication to their accounts. While both these recommendations appeared positively received by Service NSW, neither have been implemented.

Since its inception, Service NSW’s use of Salesforce has extended to storing transaction data, particularly for transactions for which Service NSW is responsible, such as the Seniors Card. It also holds details of over four million MyServiceNSW account holders, including name, email address and phone number, and optional address details. It was not originally intended for the system to hold this volume and nature of customer information.

Lines of responsibility for meeting privacy obligations are unclear between Service NSW and its client agencies

Service NSW's privacy management plan does not clearly set out the privacy obligations of Service NSW and its client agencies. It sets out that 'compliance with the privacy principles will primarily be the responsibility of that [client] agency'. However, Service NSW has its own obligations under the security principles of the Privacy and Personal Information Protection Act 1998 (PPIP Act) to take reasonable steps to prevent unauthorised access to personal information, which is not made clear in the privacy management plan.

The agreements between Service NSW and client agencies reviewed for this audit only include general and high level references to privacy. Most do not include details of each parties' privacy responsibilities such as: which agency will provide the customer with a privacy notice explaining how their personal information will be handled, how personal information will be kept secure, how long Service NSW will retain information, what processes will be followed for internal reviews, and what specific planning is in place to respond to data breaches.

Service NSW's privacy management plan has not been updated to include new programs and governance changes

Service NSW's privacy management plan includes most of the matters required by law or good practice, with some exceptions. It does not explain any exemptions that the agency commonly relies on under the PPIP Act and does not address any health information that Service NSW may handle. It had also not been updated to reflect governance changes and the fact that, at the time this audit commenced, Service NSW was disclosing the content of internal review applications (the formal expression for 'complaints') to the Department of Customer Service (DCS). These governance changes were part of the centralisation of Service NSW's corporate support functions into DCS in late 2019, though internal review staff were seconded back into Service NSW during the course of this audit.

The current July 2019 privacy management plan has also not been updated since the rollout of a number of major new initiatives in 2020. These include 2019–20 bushfire emergency recovery initiatives (such as small business grants) and COVID 19 pandemic response initiatives (such as small business grants, border permits and the COVID safe check in app).

Service NSW routinely conducts privacy impact assessments for new initiatives, though privacy risks remain in legacy systems and processes

Service NSW routinely conducts privacy impact assessments for major new initiatives and the assessments reviewed for this audit largely accorded with good practice guidance.

Service NSW does not routinely review existing processes and systems to ensure that they are effective in ensuring the privacy of customer personal information. Business processes that create the highest risk to privacy, such as emailing of personal information, are more common in these longstanding legacy systems.

Service NSW's significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks

Since it was established in 2013, Service NSW has experienced significant growth in the number and diversity of the types of transactions it provides, as well as the number of client agencies with which it works. The pace and extent of this growth has contributed to important controls not being properly implemented on a timely basis, which has heightened privacy risks, particularly in regard to existing, legacy systems and processes.

The pace of change and increasing demand for new program implementation has limited the opportunity for Service NSW, in collaboration with its client agencies, to revisit and redesign legacy business practices which pose a greater privacy risk. This includes the scanning and emailing of personal information.

While 2019–20 has seen additional demands placed on Service NSW in responding to the 2019–20 bushfire emergency and COVID 19 pandemic, it is the nature of the agency’s work that it operates in a fast paced and complex environment, where it is required to respond to multiple client agencies and stakeholders. Ensuring customer privacy should be integral to Service NSW’s business as usual operations.

2. Recommendations

Service NSW commissioned a number of external reviews and investigations stemming from the data breaches. The Auditor General's recommendations below have taken these other reviews into account. In order to offer assurance that it is appropriately protecting the privacy of its customers, Service NSW should address the full breadth of findings and recommendations made across all relevant reviews.

As a matter of urgency, Service NSW should:

1. in consultation with relevant client agencies and the Department of Customer Service, implement a solution for a secure method of transferring personal information between Service NSW and client agencies

2. review the need to store scanned copies of personal information and, if still required, implement a more secure method of storing this information and regular deletion of material.

By March 2021, Service NSW should:

3. ensure that all new agreements entered into with client agencies from 1 April 2021 address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

4. in collaboration with the Department of Customer Service, review its privacy management plan to address the deficiencies raised in this audit, including:

• to clarify Service NSW's understanding of how responsibility for meeting privacy obligations are delineated between Service NSW and client agencies
• to better reflect the full scope and complexity of personal information handled by Service NSW
• to better explain how applications for internal review are handled between Service NSW and the Department of Customer Service
• to ensure regular ongoing review, either according to a schedule or when Service NSW experiences substantial change to its programs and handling of personal information

5. in consultation with the Department of Customer Service, review its policies and processes for the management of privacy risks, including to:

• ensure that there are appropriate mechanisms to escalate identified privacy risks from business units to the Executive Leadership Team
• ensure that there are action plans to address strategic privacy risks that are assessed as having ineffective controls.

By June 2021, Service NSW should:

6. address deficiencies in the controls over, and security for, its Salesforce customer relationship management and related systems that hold customer personal information, including:

• establish policies and processes for regular access reviews and monitoring of user activity in these systems, including for privileged users
• enable partitioning and role based access restrictions to personal information collected for different programs
• provide customers the choice to use multi factor authentication to further secure their MyServiceNSW accounts
• enable customers to view the transaction history of their personal information to detect possible mishandling.

By December 2021, Service NSW should:

7. ensure that all existing agreements with client agencies address the deficiencies identified in this audit, including that they provide clarity on:

• the content and provision of privacy collection notices
• the terms by which personal information will be retained, stored, archived, and disposed of when no longer required
• steps that will be taken by each agency to ensure that personal information is kept secure
• the circumstances in which, and processes by which, applications for internal review will be referred by one agency to the other
• how identified breaches of privacy will be handled between agencies

8. carry out a risk assessment of all processes, systems and transactions that involve the handling of personal information and undertake a privacy impact assessment for those that:

• are identified as high risk and have not previously had a privacy impact assessment
• have had major changes or updates since the privacy impact assessment was completed.

Appendix one – Responses from agencies

Appendix two – About the audit

Copyright notice

© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.

In October 2016, the NSW Government accepted an unsolicited proposal from IFM Investors and AustralianSuper to lease 50.4 per cent of Ausgrid for 99 years. The deal followed the Federal Government’s rejection of two bids from foreign investors, for national security reasons.

A performance audit of the lease of Ausgrid has found shortcomings in the unsolicited proposal process. Releasing the audit findings today, the Auditor-General for New South Wales, Margaret Crawford said ‘this transaction involved a $20 billion asset owned by the people of New South Wales. As such, it warranted strict adherence to established guidelines’.

Ausgrid is a distributor of electricity to eastern parts of Sydney, the Central Coast, Newcastle and the Hunter Region.

In June 2014, the then government announced its commitment to lease components of the state's electricity network as part of the Rebuilding NSW plan. Implementation of the policy began after the government was re-elected in 2015. Between November 2015 and August 2016, the NSW Government held a competitive tender process to lease 50.4 per cent of Ausgrid for 99 years. The NSW Government abandoned the process on 19 August 2016 after the Australian Treasurer rejected two bids from foreign investors, for national security reasons. That day, the Premier and Treasurer released a media statement clarifying the government's objective to complete the transaction via a competitive process in time to include the proceeds in the 2017–18 budget.

On 31 August 2016, the state received an unsolicited proposal from IFM Investors and AustralianSuper to acquire an interest in Ausgrid under the same terms proposed by the state during the tender process. In October 2016, the government accepted the unsolicited proposal. 

This audit examined whether the unsolicited proposal process for the partial long-term lease of Ausgrid was effectively conducted and in compliance with the government’s 2014 Unsolicited Proposals: Guide for Submission and Assessment (Unsolicited Proposals Guide or the Guide). 

The audit focused on how the government-appointed Assessment Panel and Proposal Specific Steering Committee assessed key requirements in the Guide that unsolicited proposals must be demonstrably unique and represent value for money. 

Appendix one - Response from agency

Appendix two - NSW Government’s summary of assessment of the Ausgrid unsolicited proposal   

Appendix three - The definition and nature of unsolicited proposals

Appendix four - Ausgrid unsolicited proposal process

Appendix five - About the audit

Appendix six - Performance auditing

Parliamentary reference - Report number #309 - released 11 December 2018

The Premier’s Implementation Unit uses a systematic approach to measuring and reporting progress towards the Premier’s Priorities performance targets, but public reporting needed to improve, according to a report released today by the Auditor-General of NSW, Margaret Crawford.

The Premier of New South Wales has established 12 Premier’s Priorities. These are key performance targets for government.

Source: Department of Premier and Cabinet, Premier’s Priorities website.

Each Premier’s Priority has a lead agency and minister responsible for achieving the performance target.

The Premier’s Implementation Unit (PIU) was established within the Department of Premier and Cabinet (DPC) in 2015. The PIU is a delivery unit that supports agencies to measure and monitor performance, make progress toward the Premier’s Priorities targets, and report progress to the Premier, key ministers and the public.

This audit assessed how effectively the NSW Government is progressing and reporting on the Premier's Priorities.

The Premier’s Implementation Unit (PIU) is effective in assisting agencies to make progress against the Premier’s Priorities targets. Progress reporting is regular but transparency to the public is weakened by the lack of information about specific measurement limitations and lack of clarity about the relationship of the targets to broader government objectives.The PIU promotes a systematic approach to measuring performance and reporting progress towards the Premier’s Priorities’ performance targets. Public reporting would be improved with additional information about the rationale for choosing specific targets to report on broader government objectives.

The PIU provides a systematic approach to measuring performance and reporting progress towards the Premier's Priorities performance targets. Public reporting would be improved with additional information about the rationale for choosing specific targets to report on broader government objectives. The data used to measure the Premier’s Priorities comes from a variety of government and external datasets, some of which have known limitations. These limitations are not revealed in public reporting, and only some are revealed in progress reported to the Premier and ministers. This limits the transparency of reporting.

The PIU assists agencies to avoid unintended outcomes that can arise from prioritising particular performance measures over other areas of activity. The PIU has adopted a collaborative approach to assisting agencies to analyse performance using data, and helping them work across organisational silos to achieve the Premier’s Priorities targets.

Data used to measure progress for some of the Premier’s Priorities has limitations which are not made clear when progress is reported. This reduces transparency about the reported progress. Public reporting would also be improved with additional information about the relationship between specific performance measures and broader government objectives.

The PIU is responsible for reporting progress to the Premier, key ministers and the public. Agencies provide performance data and some play a role in preparing progress reports for the Premier and ministers. For 11 of the Premier's Priorities, progress is reported against measurable and time-related performance targets. For the infrastructure priority, progress is reported against project milestones.

Progress of some Priorities is measured using data that has known limitations, which should be noted wherever progress is reported. For example, the data used to report on housing completions does not take housing demolitions into account, and is therefore overstating the contribution of this performance measure to housing supply. This known limitation is not explained in progress reports or on the public website.

Data used to measure progress is sourced from a mix of government and external datasets. Updated progress data for most Premier’s Priorities is published on the Premier’s Priorities website annually, although reported to the Premier and key ministers more frequently. The PIU reviews the data and validates it through fieldwork with front line agencies. The PIU also assists agencies to avoid unintended outcomes that can arise from prioritising single performance measures. Most, but not all, agencies use additional indicators to check for misuse of data or perverse outcomes.

We examined the reporting processes and controls for five of the Premier’s Priorities. We found that there is insufficient assurance over the accuracy of the data on housing approvals.

The relationships between performance measures and broader government objectives is not always clearly explained on the Premier’s Priority website, which is the key source of public information about the Premier’s Priorities. For example, the Premier’s Priority to reduce litter volumes is communicated as “Keeping our Environment Clean.” While the website explains why reducing litter is important, it does not clearly explain why that particular target has been chosen to measure progress in keeping the environment clean.

By December 2018, the Department of Premier and Cabinet should:

1. improve transparency of public reporting by:
   • providing information about limitations of reported data and associated performance
   • clarifying the relationship between the Premier’s Priorities performance targets and broader government objectives.
2. ensure that processes to check and verify data are in place for all agency data sources
3. encourage agencies to develop and implement additional supporting indicators for all Premier’s Priority performance measures to prevent and detect unintended consequences or misuse of data.

The Premier's Implementation Unit is effective in supporting agencies to deliver progress towards the Premier’s Priority targets.

The PIU promotes a systematic approach to monitoring and reporting progress against a target, based on a methodology used in delivery units elsewhere in the world. The PIU undertakes internal self-evaluation, and commissions regular reviews of methodology implementation from the consultancy that owns the methodology and helped to establish the PIU. However, the unit lacks periodic independent reviews of their overall effectiveness. The PIU has adopted a collaborative approach and assists agencies to analyse performance using data, and work across organisational silos to achieve the Premier’s Priorities targets.

Agency representatives recognise the benefits of being responsible for a Premier's Priority and speak of the value of being held to account and having the attention of the Premier and senior ministers.

By June 2019, the Department of Premier and Cabinet should:

1. establish routine collection of feedback about PIU performance including:
   • independent assurance of PIU performance
   • opportunity for agencies to provide confidential feedback.

Appendix one: Response from agency

Appendix two: Data sources

Appendix three: About the audit

Appendix four: Performance auditing

Parliamentary reference - Report number #307 - released 13 September 2018