Report highlights: Internal controls and governance 2023

What this report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2023.


Internal control trends
The proportion of control deficiencies identified as high-risk this year decreased to 4.5% (8.2% in 2022).

Repeat findings of control deficiencies represent 38% of all findings (48% in 2022).

Information technology
Over half of the agencies reviewed have deficiencies in managing user access to their information systems. Over a third of agencies had deficiencies in their controls over privileged user accounts within their information technology environments.

Cyber security
Over 80% of assessments for maturity levels against the NSW Cyber Security Policy have reported one or more self-assessed Mandatory Requirements are not practiced on a consistent and regular basis.

Essential Eight cyber controls have not improved, and they need to.

Governance framework
Deficiencies were noted in agencies' governance and risk management frameworks, namely: outdated risk management policies, lack of risk appetite statements, and internal audit functions not being externally evaluated.

Payroll and work health and safety (WHS)
Overtime expenses increased by 40% between 2020 and 2023, compared to salaries and wages which increased by 16% over the same period.

Five agencies have WHS policies that do not reflect current WHS regulations.


Several important recommendations were made for agencies to prioritise efforts to improve cyber security controls and cyber resilience measures.

It was also recommended that agencies periodically review their risk management maturity and implement action plans, and ensure their WHS policies and procedures reflect current legislation requirements including the need to manage psychosocial risks.

Fast facts

The 25 largest NSW government agencies in this report cover all ten portfolios of agencies and represent over 95% of total expenditure for the NSW public sector.

  • 12 high-risk findings identified
  • 268 control deficiencies were identified in 2023
  • 48% of agencies failed to effectively review and validate user access to IT systems
  • 0 agencies met all of their reported cyber maturity targets for 2023
  • 3% of total salaries and wages was represented by overtime expenses in 2023
  • 5 agencies had outdated WHS policies

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.