Internal Controls and Governance 2017

Agencies need to do more to address risks posed by information technology (IT), NSW Auditor-General Margaret Crawford has found.

'IT control deficiencies were the most common source of internal control issues in our 2016-17 audits of NSW agencies', Ms Crawford said.

The extent of the cyber security threat is unknown because agencies define a 'cyber attack' differently. This matter will be examined in more detail in a performance audit report on cyber security scheduled for release in early 2018. Further, most agencies do not sufficiently monitor or restrict privileged access to their systems and some do not enforce password controls.

'Shared services arrangements can reduce back-office costs. However, performance management of shared service providers could be improved', Ms Crawford said.

These are some of the findings to emerge from the first stand-alone report on internal controls and governance released by the Auditor-General today.

'The report is based on our work with 39 of the State's largest agencies. While this does not cover every agency in New South Wales, it draws from a large enough number to identify common issues and insights', Ms Crawford said.

The new report will help the parliament to understand critical issues across the public sector, and help agencies to compare their own performance against that of their peers. It evaluates how agencies identify, mitigate and manage risks related to:

  • financial controls

  • information technology

  • asset management and the delivery of significant capital projects

  • continuous disclosure and shared service arrangements

  • ethics, conflicts of interest, and gifts and benefits

  • risk management.

Overall, the report makes 17 recommendations that will help agencies improve internal controls and governance, and in turn deliver their services more effectively. It also reviews how agencies have progressed against recommendations made in the previous year.

Further information

Barry Underwood, Director, Office of the Auditor-General, on 0403 073 664 and email