Report snapshot

Internal controls and governance help agencies achieve their outcomes by supporting effective operations, reliable financial reporting, and legal compliance. This report provides Parliament with insights from financial audits of 26 major NSW public sector agencies, focusing on the effectiveness of their internal controls and governance. It presents observations across key elements of these frameworks.

Key findings

Internal control findings have decreased

Audit findings on internal controls and governance were reported across all 26 agencies. While the total number of findings decreased in 2024–25 compared to the 2023–24 interim audits, repeat findings rose and now account for 33% of all reported issues.

IT controls need to improve

Five high-risk findings were reported, all related to ineffective IT controls, including those designed to prevent cyber security incidents. Approximately half of all findings involved IT controls over key financial systems.

Deficiencies in procurement practices

Agency procurement practices show deficiencies in policy alignment, capability, and oversight. Many do not fully incorporate mandatory requirements of the NSW Procurement Policy Framework, and procurement training is either lacking or not mandatory. Around half lack formal policies for best and final offer processes, and supplier relationship management is inconsistently applied, limiting value-for-money assurance.

While all agencies have conflict of interest policies, some are outdated and lack mechanisms for managing complaints, with over half failing to review centralised registers before awarding contracts.

Agencies can better integrate AI into their existing governance and strategy arrangements

Agencies are beginning to adopt AI but have yet to fully integrate it into governance and strategic planning. Fewer than half have formal AI policies or have embedded AI into existing frameworks to guide responsible use. Only a quarter have developed strategies to maximise AI’s benefits, and AI is not yet widely used as a strategic or operational tool across the sector.

Cyber security control deficiencies expose supply chains to vulnerabilities and undermine investment effectiveness

Control deficiencies make agencies vulnerable to supply chain cyber security threats and reduce investment effectiveness.

Three agencies lack formal policies addressing supply chain cyber risks, and eight do not have strategies to maintain complete IT asset registers, limiting visibility of systems. Weak third-party oversight was observed, including unclear contractual roles and limited post-termination planning. Additionally, not all agencies conduct cost–benefit analyses or align cyber security spending with threat landscapes, and only seven actively manage underutilised or outdated cyber security tools.

Recommendations

The report recommends that agencies strengthen controls and processes across three key areas: procurement frameworks, adoption of artificial intelligence, and cyber security controls.

Chapter 3 provides key areas of improvement and practical lessons for NSW government agencies in considering the effectiveness of their internal controls and governance.

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.

About this report

This audit assessed how effectively Transport for NSW (TfNSW) procured the New Intercity Fleet (NIF) and the Regional Rail Fleet (RRF).

The combined estimated capital cost to completion of these procurements is currently $6.8 billion.

Findings

TfNSW did not effectively procure the New Intercity Fleet or the Regional Rail Fleet.

TfNSW did follow the processes required by the NSW Government and its own procurement policies, and managed probity and conflict of interest issues in alignment with those policies.

TfNSW did not effectively scope or estimate the full costs of the NIF or the RRF to inform assurance activities or investment decisions, and significantly underestimated the costs of enabling works for both projects.

TfNSW did not properly account for the number of NIF trains needed to avoid overcrowding, despite being aware overcrowding was likely on some peak services. This led to additional works and costs, including purchasing additional trains at higher prices.

TfNSW did not engage effectively with drivers and guards in planning and procurement. This limited its ability to manage the risks of industrial action, specifically those related to the decision for the NIF to be driver-only operated.

Documented ‘lessons learnt’ warned of the risks of using a Public Private Partnership (PPP) for the procurement of rolling stock, including the risks of variations. However, TfNSW did not effectively manage these elevated risks for the RRF, which were exacerbated by the decision to not include operation of the fleet in the PPP.

Recommendations

The audit makes six recommendations to TfNSW which relate to:

• improving its use of demand forecasting to inform investment decisions and rail rolling stock procurement activities
• introducing mandatory requirements for stakeholder consultation to inform rail rolling stock procurement projects
• developing effective assurance processes at all project stages
• improving public transparency by reporting clearly, consistently and comprehensively on the scope, timeline and costs of projects
• ensuring written advice to ministers and Cabinet is comprehensive, evidence-based and objective
• maintaining and properly classifying records, including advice to ministers and government, at all project stages.

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.

About this report 

Revenue NSW is a division within the Department of Customer Service responsible for collecting fines and taxes, administering grants and recovering debt on behalf of state government agencies. As part of its role, Revenue NSW has a responsibility to ensure fines and debt processes do not have a disproportionate impact on vulnerable people.

Revenue NSW has a Hardship Policy to assist people experiencing hardship in accordance with its Customer Commitments which include acting with empathy, ease of access, situation resolution and clear explanations.

There are a range of payment options to provide hardship assistance under the policy including fine write-offs, payment plans and Work and Development Orders. Most decisions on hardship assistance are made by Revenue NSW. An individual can appeal a decision to the Hardship Review Board.

This audit assessed the effectiveness of Revenue NSW in delivering hardship assistance in compliance with relevant legislation, policies and guidelines.

Findings

Revenue NSW delivers assistance to people experiencing hardship using the range of payment options available under its Hardship Policy. It has established a governance framework to support effective implementation, including processes, procedures and delegations for assessing hardship applications.

Revenue NSW is not effectively monitoring, evaluating and reporting on the outcomes of the hardship assistance it provides under the Hardship Policy.

Revenue NSW can improve some of its processes that support it to make fair, consistent and transparent decisions on hardship assistance. It can also improve how it communicates decisions to people applying for hardship assistance.

Recommendations

The report makes five recommendations to:

• evaluate and publicly report on the implementation of the Hardship Policy
• improve quality assurance across fines and debt operations
• improve correspondence to people seeking hardship assistance
• improve the documentation of governance, risk management and ethics in artificial intelligence and automation used in fines and debt operations
• communicate more clearly the role of the Hardship Review Board.

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.

About this report 

This audit assessed the performance of the NSW Education Standards Authority (NESA) and the NSW Department of Education in regulating home schooling and in providing alternative school settings, specifically:

• distance education schools
• hospital schools
• intensive learning support schools
• youth justice centre schools.

NESA regulated home schooling until 5 May 2025, when the function moved to the Department.

Findings

The Department and NESA have not effectively supported eligible students to receive a quality education in alternative school settings and home schooling. They have not:

• defined the learning and wellbeing outcomes for students in these particular settings, or evaluated whether these settings are effective in achieving those outcomes
• monitored or responded to demand for these settings, to make sure they are available and accessible in a timely way
• supported student transitions into and out of these settings, so that continuity of education is maintained
• proactively sought feedback from students and families to understand whether their needs are being met.

Recommendations

The audit makes three recommendations to the Department of Education, now responsible for regulating home schooling as well as for providing alternative school settings:

1. Develop and implement a strategy for alternative school settings that recognises their specialised nature and:

• addresses demand
• enables timely access
• enhances departmental support for student transitions
• establishes data and accountability mechanisms.

2. Work with the home schooling community on reforms to regulation, including consideration of:

• expedited registration processing
• support for students’ transitioning into and out of home schooling
• quality assurance mechanisms that recognise the unique features of home schooling.

3. Identify the child safety monitoring risks in the alternative school settings and in home schooling regulation, and ensure fit-for-purpose mechanisms are in place to address these.

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.

About this report 

The coastal management framework under the Coastal Management Act 2016 (the Act), aims to deliver strategic and integrated management, use and development of the coast by state and local government for the social, cultural and economic wellbeing of the people of NSW.

The Department of Climate Change, Energy, the Environment and Water (DCCEEW) oversees and facilitates implementation of the framework by local councils in the coastal zone.

The Department of Planning, Housing and Infrastructure (DPHI) facilitates integration of the framework with the land use planning system.

Local councils are supported by DCCEEW and DPHI to develop coastal management programs (CMPs) that set out risk-based, long-term strategies for managing the coast.

This audit examined whether DCCEEW, DPHI and three local councils (City of Coffs Harbour, Shoalhaven City and Northern Beaches Councils) are effectively implementing the framework to manage the NSW coast.

Findings

The coastal management framework is not being effectively implemented to manage the NSW coastal environment. Seven years after the framework came into effect, most local councils are still in the process of developing CMPs.

DCCEEW is not effectively overseeing and facilitating implementation of the framework by state and local government. As a result, the Act’s objectives are not being achieved.

Gaps in DCCEEW’s strategic planning, risk management and performance monitoring mean it cannot demonstrate that the framework is being implemented to effectively manage risks to the use and resilience of the coastal environment now and into the future.

The audited councils are developing CMPs to support coastal management and strategic land use planning, but the process is taking longer than anticipated. The audited councils with certified CMPs have faced challenges in integrating related coastal management actions as part of their integrated planning and reporting, due to uncertainty over long-term funding sources.

DCCEEW and DPHI are not effectively addressing challenges to the successful implementation of the framework. These include gaps in mapping coastal hazards to support framework objectives for managing risks from these hazards. DCCEEW is not effectively facilitating partnerships across state and local government, and there is uncertainty over funding for framework implementation.

Recommendations

The report makes recommendations including:

• DCCEEW should improve its oversight, facilitation and monitoring of framework implementation.
• DCCEEW and DPHI should address gaps in implementation of land use planning policy relating to managing coastal hazard risks.
• Local councils, and divisions of DCCEEW and DPHI responsible for national parks and Crown land, should integrate the delivery of actions in CMPs into asset management, business and financial planning, and risk management processes.
• Local councils should monitor and report on progress to the council and community.

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.

About this report 

The reliance on information technology in modern government, in addition to the global interconnectivity between computer networks, has dramatically increased the risk of cyber security incidents. Such incidents can harm government service delivery and may include the theft of information, breaches of private information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent. These outcomes can have adverse impacts on the community and harm trust in government.

This report presents our analysis of the NSW Cyber Security Policy compliance data submitted by State agencies to Cyber Security New South Wales in 2024, along with insights into the cyber security environment drawn from selected reports published between 2018 and 2025. This analysis includes reports from performance audits, compliance audits and financial audits.

The report is a resource for the public sector. It provides insights into the challenges and opportunities for strengthening cyber resilience.

Insights

Key insights from the report’s analysis of Cyber Security policy compliance data include:

• the need for agencies to focus on the cyber resilience gaps particularly in implementing ‘protect’ domain controls
• a lack of independent assurance over agency reporting against the Cyber Security Policy
• limited oversight of third-party providers
• risk that aggregate reporting reduces visibility into agency compliance levels and cyber risks.

The report’s analysis of selected Auditor-General reports from 2018 and 2025 identifies that while cyber security governance in the NSW public sector has improved through broader adoption of policies and frameworks, there is still a critical need to:

• address unclear roles
• adequately identify information assets
• manage third-party cyber security risk
• address failures to meet basic protection standards
• perform phishing simulations more regularly
• align culture with cyber security environment to ensure controls are fit for purpose.

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.

About this report 

This audit assessed the compliance of the Local Small Commitments Allocation Program (LSCA Program) with the NSW Grants Administration Guide (the Guide) and the Government Sector Finance Act 2018 (the Act).

The LSCA Program Office (the Program Office) was established in the NSW Premier’s Department in July 2023 to administer the LSCA Program.

Findings

Since its formation in July 2023, the Program Office effectively administered the LSCA Program in compliance with the Guide and the Act. The audit identified two exceptions: 54 assessment panel members’ conflicts were not identified and managed from a total of 644 approved projects, and there were some other minor administrative errors.

NSW Labor oversaw initial aspects of the administration of the LSCA Program. Where aspects of the LSCA Program were not performed by an auditable entity, nor by a non-government entity that received state government funding or other resources to deliver a state purpose, these activities fall outside the scope of the Auditor-General’s mandate.

The Guide could be clearer about how the public sector is to administer grants involving election commitments. 

The Program Office’s review of conflicts of interest at the candidate level, was limited to 17 candidates put forward by the Special Minister of State. The Program Office advises it received verbal confirmation that conflicts of interest processes had been implemented by NSW Labor for all electorates, but did not seek documentation supporting NSW Labor’s conflicts of interest assessments.

The summarised merit assessment criteria do not fully reflect the legislative purposes of the funding source for the LSCA Program. As a result, there is a risk that the Minister was not provided with sufficient guidance to reach the state of satisfaction required by legislation.

Recommendations 

The report made the following recommendations:

• the NSW Government should consider updating the Grants Administration Guide to include additional guidance on how the public sector is to address financial accountability, probity, record keeping and administrative obligations when a grants administration process has been initiated as an election commitment
• the Department should ensure conflicts of interest processes are implemented as intended for all future grant programs.

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.

About this report 

In NSW, mining companies are legally required to rehabilitate disturbed land and water to a safe and stable condition. Mining companies must also provide a security deposit to cover the cost of rehabilitation in case they default on their obligations.

The Department of Primary Industries and Regional Development (the Department) is responsible for overseeing and enforcing these requirements. These functions are delivered by a unit in the Department, known as the NSW Resources Regulator.

This audit assessed the effectiveness of the Department in monitoring compliance with and enforcing mine rehabilitation requirements. This audit focused on the rehabilitation of large mines.

Findings

The Department is not effectively monitoring and reporting on compliance with mining rehabilitation requirements. However, regulatory reforms introduced in July 2021 provide a more robust regulatory framework for mine rehabilitation. These changes, if implemented effectively, should provide the Regulator with a consolidated view of rehabilitation progress for large mines.

Current gaps in the Department’s data framework mean that it does not have a comprehensive and reliable view of rehabilitation progress and enforcement outcomes. This limits the Regulator’s ability to effectively regulate mine rehabilitation. Further, there is no current plan to evaluate the effectiveness of its regulatory program. 

While the Regulator collects data on the amount of land under rehabilitation, it does not collect data on the amount of disturbed land available to mining companies for rehabilitation. Without this data, the Regulator is unable to determine whether a mining company has rehabilitated disturbed land as soon as reasonably practicable after the disturbance occurs. 

The total value of rehabilitation security deposits held by the Department was around $4 billion in 2023–24. If there is a shortfall in deposits held for one mine, that shortfall cannot be covered by another mining company’s security deposit. A Rehabilitation Cost Estimate tool is used to calculate required security deposits for each mine. The Regulator updates this tool around every four years, but there is no allowance between reviews to account for inflation or changes to industry rates.

Recommendations 

The audit makes four recommendations, including to:

1. implement an evaluation plan to measure regulatory outcomes
2. address gaps in the data framework
3. develop and report publicly on key performance indicators and targets
4. enhance governance and regulation for mine rehabilitation, including by ensuring planning documents consider emerging risks. 

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.

About this report 

Social housing is affordable rental housing provided to households with low incomes. In NSW, there are around 156,000 social housing dwellings. Social housing includes public housing, community housing and Aboriginal housing.

On 1 February 2024, Homes NSW was established as a division of the Department of Communities and Justice (DCJ) with responsibility for managing housing and homelessness services.

This audit assessed whether social housing is effectively and efficiently prioritised to meet the needs of vulnerable households, and whether social housing tenants are effectively supported to establish and sustain their tenancies.

Conclusion

The audit concluded that the process to apply for a social housing property is inefficient and inequitable. The application process requests substantial amounts of evidence to determine whether an applicant is a priority. Some applicants are supported by external agencies to collect this evidence while others cannot access support.

The process to allocate available social housing properties is inefficient and inequitable. In June 2024, DCJ took an average of 33 days to fill a vacant property. Just under a third of offers of housing result from manually selecting an applicant, rather than using the priority ranked list of applicants. DCJ does not centrally monitor manual allocation decisions, which risks inequitable outcomes.

Social housing tenants do not consistently receive effective support to help them establish a successful tenancy or sustain that tenancy when issues arise. DCJ does not have a clearly articulated strategy for supporting tenancies, nor does it monitor or report on the support it coordinates for tenants.

Recommendations 

The report made five recommendations:

1. Simplify the social housing application process.
2. Review and improve the allocation and offer process.
3. Regularly monitor and report on the use of manual allocations.
4. Clearly articulate the role of Homes NSW as a social housing landlord.
5. Align key data sets between DCJ and community housing providers.

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.

About this report

This audit assessed the effectiveness of the regulation of gaming machines in clubs and hotels, with a focus on harm minimisation requirements.

In NSW, the Independent Liquor and Gaming Authority (ILGA) and the Department of Creative Industries, Tourism, Hospitality and Sport (the Department) share responsibility for regulating gaming machines in clubs and hotels.

Findings 

More than half of all gaming machines in Australia are located in NSW.

The Department and ILGA regulate gaming machines in a structured and consistent manner but are not supporting harm minimisation outcomes effectively.

The Department has a regulatory strategy that sets out its priorities clearly. It has communicated this to stakeholders. However, the strategy does not have a sufficient focus on the areas that are considered high-risk for gambling harm and does not set targets for reducing harm associated with gaming machines. Gaming machine losses and the social costs of gambling harm continue to be disproportionately concentrated in socio-economically disadvantaged communities.

ILGA and the Department have clear processes for assessing applications to operate gaming machines. However, ILGA does not proactively review licence conditions after they are granted.

Most venues that have the largest number of gaming machines have not had their licence conditions reviewed in recent years and are operating gaming machines with licence conditions that may not be consistent with contemporary approaches to harm minimisation.

A legislated forfeiture scheme that aims to reduce the number of gaming machines in NSW has existed since 2001. The number of gaming machines operating in NSW has decreased gradually, noting there has been an increase in the number of gaming machines in NSW since 2021–22.

Recommendations 

The report made recommendations including:

• the Department should increase the focus of its regulatory strategy on improving harm minimisation outcomes and ensure the gaming machine forfeiture scheme is achieving its legislative objectives
• ILGA should commence periodic reviews of licence conditions for venues operating gaming machines and increase clarity to industry and other stakeholders about the reasons for its decisions.

Further information

Please contact Renee O'Kane, Chief of Staff, on 9275 7347 or by email.