About AEO

The AEO Framework

The AEO Framework is a hierarchical set of documented system components that provide TfNSW with a justified confidence in the capability of the supply chain to deliver safe and fit-for-purpose assets by capable and competent organisations.

It supports the participation of the private sector to add more value and innovation to the Transport network.

The below listed and other Frameworks and governance documentation for Authorised Engineering Organisations is available on the ASA standards page or can be obtained from the ASA.

Authorisation of AEOs

TfNSW authorisation is conducted by assessing an organisation's ability to deliver the defined scope of assured engineering services, and also rating the maturity of an organisation's own systems and their deployment against the AEO requirements. These are divided amongst the 11 Engineering Management Capability Areas (EMCA), representing core organisational practices that are necessary to enable an organisation to effectively deliver assured asset lifecycle services. The authorisation assessment seeks to understand how an organisation's business model delivers them and how it continues to conform to them through their engagements with TfNSW. The EMCA are:

11 Engineering Management Capability Areas (EMCA)



EMCA 1Planning, managing and closing out engineering work
EMCA 2Managing the work requirements
EMCA 3Managing service or solution engineering
EMCA 4Managing assurance, verification and validation
EMCA 5Managing configuration
EMCA 6Managing competence (including contractor and subcontractor competence)
EMCA 7Managing stakeholders
EMCA 8Managing resources
EMCA 9Managing supplier quality
EMCA 10Managing performance of the engineering systems
EMCA 11Continuous improvement of the engineering systems

For more information about the AEO Model, contact the ASA Authorisation & Audit team (AuthorisationAudit@transport.nsw.gov.au).

Refer to Become an AEO for authorisation assessment or scope expansion details.

Refer to AEO Surveillance Audit below for AEO obligations during surveillance period.

AEO Surveillance Audit

What is a surveillance audit?

Audits are a systematic, independent and documented verification process of objectively obtaining and evaluating audit evidence to determine whether specified criteria are met (AS/NZS ISO 19011:2014).  The ASA undertakes risk-based surveillance audits of AEOs to measure the level of compliance with authorisation requirements including demonstrated evidence of active deployment of an AEO's systems in an organisational and/or project environment.

Underpinning the surveillance process are:

  • a competent systems auditor performing the role of team leader;
  • engaging competent SMEs, as required, as part of the audit team;
  • adopting a consultative risk-based approach to developing targeted audit scope – utilising information from previous assessments, audits or other sources;
  • undertaking the audit in line with the agreed audit plan;
  • completing the audit report in the agreed timeframe;
  • following up with the AEO to ensure that agreed actions are addressed and closed.

When does an AEO undergo the first surveillance audit?

The first surveillance audit is scheduled around 12 months after being granted AEO status and establishes a critical baseline of performance against that during the assessment phase. It establishes how the organisation's systems and processes are measured and rated at a deployment level.

How frequently will an AEO need to undergo a surveillance audit?

The Manager Audit & Compliance, ASA, develops a program of surveillance audits on all AEOs that is updated regularly.

After the first surveillance audit, a risk-based approach is adopted by ASA with all AEOs to ensure areas which present higher risks to TfNSW are identified and targeted as a priority during ongoing surveillance activities, including outstanding action items.

The frequency of surveillance is based on a range of risk considerations, which also contribute to scope development:

  • maturity levels and findings from the initial authorisation assessment;
  • any outstanding actions from the initial assessment;
  • previous surveillance audits findings and any outstanding actions;
  • scope of services and disciplines offered by the AEO;
  • TfNSW contracts awarded to the AEO;
  • risks associated with the particular AEO services, especially safety risks.

The output of ongoing surveillance is used to adjust maturity classification levels, if required, and the frequency, depth and focus of subsequent surveillance audits.

When and how will an AEO be advised of a surveillance audit?

Each ASA systems auditor is assigned a number of AEOs to manage for surveillance purposes.  They will forward notification to the AEO about 3 months in advance of the proposed audit date.

The notice of intent to audit will include a questionnaire for the AEO to complete and return to the ASA. The responses in the questionnaire both confirm and assist the ASA in developing targeted risk-based audit scope.

The ASA is aware that AEOs typically experience a range of third party activities that may impact on their business. Therefore we engage with the AEO during the planning phase to enable the most effective and efficient arrangements to accommodate the surveillance audit and reduce the impact on business activities.

What is a Special Audit?

A Special Audit is initiated at short notice on an AEO where a prompt investigative response is required to an identified risk. A serious incident or systemic issue involving an AEO may trigger a Special Audit which is conducted outside of the regular surveillance audit program.  The decision to proceed with a Special Audit is made after review of information or evidence made available to the ASA and discussions with the AEO.

The ASA may also be engaged to conduct a Special Audit on an operator maintainer AEO against specific rail services contract requirements, including asset integrity.

A competent auditor is assigned the role of audit team leader and necessary SMEs are engaged to be part of the audit team.  The defined terms of reference or scope will set out the parameters of the Special Audit, the timeframe in which it needs to be completed and any special conditions.

What is an Action Management Plan?

It is a condition of being granted AEO status that each organisation addresses agreed actions appropriately within agreed timeframes and that they comply with any conditions imposed by the ASA as part of their authorisation. These details are set out in the letter of authorisation issued by the ASA.

An Action Management Plan is generated after the final audit report is released, using an approved ASA template. The Action Management Plan provides for inclusion of actions, controls and due dates proposed by the AEO in response to audit findings.

It is incumbent upon the AEO to address, as a priority, higher level action items which present the greatest risk (i.e. serious/major non-conformances) and proposed action responses must meet the intent of report findings.

The ASA systems auditor will liaise regularly with the AEO until actions are progressively closed-out based on evidence provided.

Framework and governance documentation

Frameworks and governance documentation for Authorised Engineering Organisations is available on the ASA standards page.