About AEO

The AEO Framework

The AEO Framework is a hierarchical set of documented system components, providing TfNSW with justified confidence in the capability of the supply chain to deliver safe and fit-for-purpose assets.

It supports the participation of the private sector in building, operating and maintaining transport assets.

The diagram below sets out the document and processes that make up the AEO Framework. The relevant documents that support the AEO Framework can be found at the ASA standards quick search page.

Authorisation of AEOs

TfNSW authorisation is conducted by assessing an organisation's ability to deliver the defined scope of assured engineering services, and also rating the maturity of an organisation's own systems and their deployment against the AEO requirements. Entities are assessed against 11 Engineering Management Capability Areas (EMCA), representing the core organisational practices that are necessary to enable an organisation to effectively deliver assured engineering services. The authorisation assessment seeks to understand how an organisation's business model and management systems meet the relevant capability areas. The EMCA are:

11 Engineering Management Capability Areas (EMCA)



EMCA 1Planning, managing and closing out engineering work
EMCA 2Managing the work requirements
EMCA 3Managing service or solution engineering
EMCA 4Managing assurance, verification and validation
EMCA 5Managing configuration
EMCA 6Managing competence (including contractor and subcontractor competence)
EMCA 7Managing stakeholders
EMCA 8Managing resources
EMCA 9Managing supplier quality
EMCA 10Managing performance of the engineering systems
EMCA 11Continuous improvement of the engineering systems

For more information about the AEO Model, contact the ASA Authorisation & Audit team (AuthorisationAudit@transport.nsw.gov.au).

For details on the authorisation assessment or scope expansion process refer to the Become an AEO page.

To understand an entities obligations once authorised as an AEO refer to the AEO Surveillance Audit section below.

AEO Surveillance Audit

What is a surveillance audit?

Audits are a systematic, independent and documented verification process of objectively obtaining and evaluating audit evidence to determine whether specified criteria are met (AS/NZS ISO 19011:2019).  The ASA undertakes risk-based surveillance audits of AEOs to measure the level of compliance with authorisation requirements including demonstrated evidence of active deployment of an AEO's systems in an organisational and/or project environment.

A number of things underpin the effective delivery of surveillance process including:

  • a comprehensive Master Schedule which maps AEO surveillance audit dates, planning information and audit frequency;
  • an IMS approved Surveillance and Audit Manual and associated procedures and templates;
  • competent systems auditors to undertake the role of audit team leader;
  • competent SMEs, as required, are engaged as part of the audit team;
  • adopting a consultative risk-based approach to developing targeted audit scope – utilising information from previous assessments, audits and other sources;
  • undertaking each audit in line with the agreed audit plan;
  • completing the audit report in the agreed timeframe;
  • following-up with the AEO to ensure that agreed non-conformances are addressed with appropriate mitigation responses and closed.

When does an AEO undergo the first surveillance audit?

The first surveillance audit is scheduled to take place around 12 months after an entity is granted AEO status, if the AEO is engaged in a Transport project or providing asset maintenance services. The audit establishes a baseline of performance against the nominated audit scope, reporting on the level of compliance against AEO requirements at deployment level.

How frequently will an AEO need to undergo a surveillance audit?

The Manager Audit & Compliance, ASA, develops a program of surveillance audits on all AEOs that is updated regularly. After the first surveillance audit, a risk-based approach is adopted by ASA with all AEOs to ensure:

  • projects which present higher risks to Transport are prioritised, during planning considerations, for ongoing surveillance activities in consultation with Transport stakeholders;
  • systems weaknesses identified in previous audits are included in audit scope.

The frequency of ongoing surveillance is based on a range of risk considerations, which also contribute to scope development:

  • maturity levels and findings from the initial authorisation assessment;
  • any outstanding non-conformances from the initial assessment or subsequent surveillance audits;
  • the scope of engineering services and disciplines offered and deployed by the AEO;
  • Transport contracts awarded to the AEO; and
  • risks associated with the particular AEO services, especially safety risks.

The output of ongoing surveillance is used to provide Transport with justified confidence that AEOs are competently applying authorised systems. This provides inputs to determine the frequency, depth and focus of subsequent surveillance audits.

When and how will an AEO be advised of a surveillance audit?

The Manager Audit and Compliance will forward a pre-audit questionnaire to the AEO to complete and return. The completed questionnaire provides information to facilitate an informed decision on if an audit will proceed, or be deferred. If the audit will proceed the AEO is formally advised by email about 3 months in advance of the proposed audit date.

The ASA is aware that AEOs typically experience project-specific assurance activities and in some cases third party audit activities, that may impact their business. Therefore, we provide as much forward notice as possible and engage with the AEO during the planning phase to enable the most effective and efficient arrangements to accommodate the surveillance audit, and reduce the impact on business activities.

What is a Special Audit?

A Special Audit may be initiated at short notice on an AEO, where a prompt investigative response is required to address an identified risk. A serious incident or systemic issue involving an AEO may trigger a Special Audit, which is conducted outside of the regular surveillance audit program. The decision to proceed with a Special Audit is made after review of information or evidence made available to the ASA, and subsequent discussions with the AEO and Transport stakeholders.

The ASA may also be engaged to conduct a Special Audit on an operator maintainer AEO against specific rail services contract requirements, including asset integrity.

A systems auditor is assigned the role of audit team leader and necessary SMEs are engaged to be part of the audit team. The defined terms of reference or scope will set out the parameters of the Special Audit, the timeframe in which it needs to be completed and any special conditions.

What is an Action Management Plan?

It is a condition of being granted AEO status that each organisation addresses agreed non-conformances appropriately within agreed timeframes, and that they comply with any conditions imposed by the ASA as part of their authorisation. These details are set out in the letter of authorisation issued by the ASA.

An Action Management Plan is generated and issued to an AEO after the initial authorisation assessment, and then again following any subsequent audits, where non-conformances have been identified. An approved ASA template is used that includes non-conformances, mitigation responses and due dates for closure of non-conformances.

It is incumbent upon the AEO to address, as a priority, major non-conformances which present the greatest risks to Transport outcomes. Proposed mitigation responses must meet the intent of report findings.

The ASA facilitator or systems auditor will liaise regularly with the AEO until non-conformances are progressively closed-out, based on the evidence provided.