NSW public sector audit finds deficiencies

An audit of NSW public sector agencies has found ‘high risk’ deficiencies of governance relating to the management of councils, the administration of grants and payment systems, and conflicts of interest around Sydney Metro contractors.

The Auditor General’s Internal Controls and Governance 2023 report also found shortcomings in cybersecurity and management of information systems at NSW’s biggest agencies.

The auditor looked at cyber security, governance, and management of payroll and WHS in the state’s 25 biggest agencies, covering ten portfolios and representing more that 95 per cent of public sector expenditure.

Agencies audited (source Internal Controls and Governance 2023, NSW Auditor General’s Office)

Information systems and cyber security

The report released late last year finds more than 50 per cent of the agencies reviewed had failings in the way they managed access to their information systems, and more than a third had deficiencies when it came to privileged accounts.

The audit found 48 per cent of agencies are failing to review and validate access to IT systems and not one of the agencies looked at had met their cyber maturity targets.

It also found outdated risk management policies, a 40 per cent increase in overtime expenses and out -of- date WHS policies at five agencies.

Governance deficiencies

The audit found 268 control deficiencies and 12 high risk findings, which are considered failures of governance and controls significant enough to affect an agency’s ability to achieve its objectives. The higher the risk, the more likely it is to result in losses or compromised service ability.

Among the high risk findings were:

  • A failure by DPE to fulfil its role in addressing councils’ compliance with their responsibilities, standards and guidelines
  • ‘Significant’ control deficiencies in Service NSW’s administration of grants programs
  • Failures in the way Sydney Metro is managing contractors and conflicts of interest
  • Deficiencies in the DCJ’s payment systems

The most common deficiencies were around financial operations, IT, compliance, governance and reporting.

However, on a positive note, the percentage of high risk findings had dropped from 8.2 per cent in 2022 to 4.5 per cent in 2023. There were also few repeat findings of deficiencies.


“Several important recommendations were made for agencies to prioritise efforts to improve cyber security controls and cyber resilience measures,” the audit office says.

“It was also recommended that agencies periodically review their risk management maturity and implement action plans, and ensure their WHS policies and procedures reflect current legislation requirements including the need to manage psychosocial risks.”

According to the report, all agencies have flexible working arrangements with the proportion of employees who regularly work from home ranging between five and 100 per cent.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required