Overview
The Acting Auditor General of New South Wales, Ian Goodwin, released a report today on the results of financial audits of NSW universities for the year ended 31 December 2018.
All ten NSW universities received unqualified audit opinions.
Executive summary
This report analyses the results of our audits of financial statements of the ten NSW universities for the year ended 31 December 2018. The table below summarises our key observations.
1. Financial reporting
Financial reporting |
All financial statements submitted for audit by the NSW universities and their controlled entities received unmodified audit opinions. Eight universities finalised their audited financial statements this year on or before the date they did last year. New accounting standards will apply from 1 January 2019, bringing significant changes to the timing of revenue recognition and recording right-of-use assets for leases on balance sheet. NSW universities are at different levels of preparedness to implement the new standards. Some have re-engineered systems and processes, but others are still assessing impacts. |
Sources of revenue from operations |
Government grants as a proportion of the total income of NSW universities continues to decrease. Six universities increased the proportion of revenue they receive from overseas students from a single country. Two universities sourced over 73 per cent of their total student revenue from overseas students from a single country of origin in 2018. Total research income for NSW universities was $1.1 billion in 2017. The Australian Research Council introduced a new 'national interest test' for assessing research grant applications from 2019. |
Other revenues | Two universities attracted 69.3 per cent of the total philanthropic revenue of $165 million received by all NSW universities. |
Operating expenditure | The average annual operating expenditure per equivalent full-time student load (EFTSL) increased to $32,737 in 2018, an increase of 6.5 per cent since 2017. This was mostly driven by higher employee-related expenses. The margin between average operating revenue and expenditure per EFTSL decreased by 17.4 per cent to $2,919 in 2018 ($3,533 in 2017). |
Controlled entities |
Of the six universities with overseas controlled entities, only one university has formalised governance arrangements for oversighting its controlled entities’ compliance with overseas legislative requirements. Recommendation: Universities should strengthen their governance arrangements to oversight their overseas controlled entities' legal and policy compliance functions. |
2. Internal controls and governance
Internal control findings |
Our audits identified 99 internal control deficiencies in 2018 (83 in 2017). Gaps in information technology (IT) controls comprised the majority of these deficiencies. Main deficiencies included inappropriate access to data and systems, lack of protection against cyber attacks, and poor security over information and intangible assets. We considered one deficiency relating to ineffective controls over access to sensitive data to be high risk. NSW universities continue to implement recommendations arising from the 38 findings raised in previous years (24 in 2017). |
Performance reporting |
Five universities do not have formal processes to internally review and validate performance information published in their annual reports. Recommendation: NSW universities should strengthen processes to review and validate published performance information. |
Cyber security |
Three universities are still developing their strategy to safeguard against cyber security risks. Recommendation: NSW universities should assess the potential impact of cyber security risks and continue to strengthen cyber security frameworks and controls to protect sensitive data and prevent financial and reputational losses. |
Management of IT service providers |
NSW universities have contracts with vendors to support their computer systems. Five universities have not formally established frameworks to manage these contracts. Poor contract management can compound the risks associated with IT control deficiencies. |
Data breach management | Universities are required to maintain privacy on various types of sensitive data which, if disclosed or used inappropriately, could result in harm to individuals, financial loss, or loss of intellectual property. Three universities have not established formal policies to manage data breaches. |
3. Teaching and research
Graduate employment outcomes |
NSW universities' 2018 graduate employment outcomes improved |
Student enrolments by field of education |
Enrolments at NSW universities increased the most in IT, Engineering and Related Technologies and Society and Culture courses. |
Achieving diversity outcomes |
Five universities in 2017 (five in 2016) met the target enrolment rate for students from low socio-economic status (SES) backgrounds. Seven universities in 2017 achieved the target growth rate for enrolments of students from Aboriginal and Torres Strait Islander backgrounds (no target in 2016). |
1. Introduction
This report provides Parliament with the results of our financial audits of New South Wales universities and their controlled entities in 2018, including our analysis, observations and recommendations in the following areas:
- financial reporting
- internal controls and governance
- teaching and research.
1.1 Snapshot of NSW universities
New South Wales has ten public universities established by legislation to provide tertiary education and research functions. The ten universities have established 74 controlled entities, of which 18 are based overseas.
A snapshot of the NSW universities' revenue sources, operating surplus and student numbers for the year ended 31 December 2018 is shown below.
Source: University financial statements (audited).
The total number of students attending NSW universities increased by 3.1 per cent in 2018 to 288,712. The impact of increased student numbers on the financial results and operating margins for the year is analysed later in this report. The graph below shows the movement in the numbers of equivalent full-time students at each NSW university in 2018.
1.2 The Australian Government is changing grant funding for the university sector
The Australian Government’s Commonwealth Grant Scheme (CGS) funding for domestic undergraduate courses was capped for 2018 and 2019, based on 2017 funding levels 1. The Australian Government’s Budget for 2019–20 indicated 2 that it plans to decrease funding to the higher education sector by 0.5 per cent in real terms from 2019.
2. Budget Paper No. 1 Statement 5.
2. Financial reporting
Financial reporting is an important element of governance. Confidence and transparency in university sector decision making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations on the financial reporting of NSW universities for 2018.
2.1 Quality of financial reporting
Audit results
We issued unmodified audit opinions on all financial statements submitted by NSW universities and their controlled entities
The 2018 financial statements of all ten NSW universities and 71 of their 74 controlled entities received unmodified audit opinions for the purposes of satisfying the requirements of the Public Finance and Audit Act 1983 (PF&A Act). One controlled entity elected not to comply with the PF&A Act and did not submit financial statements to the Audit Office. Another controlled entity was exempted from financial reporting for 2018. The audit of a third controlled entity is still in progress.
Financial results
In 2018, the net results of eight out of ten universities decreased, primarily due to increased employee-related expenses. A portion of this related to universities recognising obligations for payroll tax on their superannuation liabilities for the first time. This is discussed later in this report.
Two universities improved their net results, both recording increases greater than 65 per cent. The increases were primarily due to growth in fees and charges from increased enrolments of overseas students.
The graph below shows the net results of individual NSW universities for 2018. This graph may be read in conjunction with the one on page 20 showing operating margin percentage for comparison.
Individual universities recorded changes in their income which ranged from -0.4 per cent to +14.7 per cent since 2017. The university with the highest percentage increase in income reported a rise in student fees and charges of 54.6 per cent, primarily from increased overseas student enrolments following a change in arrangements with its enrolment service provider. Investment income decreased for six universities in 2018.
Expenditure of individual universities increased by between 5.5 per cent and 13.5 per cent since 2017. The university with the highest percentage increase in expenditure also reported an increase in employee-related expenses of 11.4 per cent. Employee-related expenses are impacted by the differing treatments applied by NSW universities with regards to their payroll tax obligations on their employees' defined benefit superannuation liabilities. This issue is discussed below.
Quality of financial reporting
A measure of the quality of financial statements is the number and amount of errors and disclosure deficiencies we identify after the financial statements are presented for audit.
In our report to Parliament last year, we recommended universities clarify the recognition and measurement of their liability for payroll tax on their defined benefit superannuation obligations. A 2016 Revenue NSW Ruling confirmed that, under the Payroll Tax Act 2007, employers are liable for payroll tax on their contributions to employee superannuation funds in respect of employees' services after 1 July 1996. Universities have been trying to clarify whether these amounts can be recovered under an agreement they have with the NSW state and Australian Governments. However, to date no such understanding has been reached.
Eight universities recognised a liability for their obligation to pay payroll tax on their employees’ superannuation entitlements at 31 December 2018. Our audits reported three uncorrected errors, each over $5.0 million, and one disclosure deficiency related to incorrect treatment of these obligations. The errors included two universities that did not record a liability, one that recorded a receivable, and one that disclosed a contingent asset. The errors were not sufficiently material in the context of those universities' financial statements to require correction.
Timeliness of financial reporting
Eight universities finalised their audited financial statements this year on or before the date they did last year
All NSW universities and 71 of their 74 controlled entities met the statutory timetable for submitting their financial statements for audit. As noted above, one controlled entity elected not to comply with the requirements of the PF&A Act, one controlled entity was exempted from financial reporting, and one audit of a controlled entity is still in progress.
Our audit opinions on NSW universities' financial statements for 2018 were issued between 15 March 2019 and 18 April 2019. Audit completion dates are presented in the following diagram.
Note: University of Sydney audit completion date in 2018 was the same date as in 2017.
Source: Independent Auditor's Reports issued by the Audit Office.
NSW universities have adopted aspects of early close procedures to improve the timeliness of completion of their financial reporting obligations. Their early close procedures included preparing proforma financial statements, completion of asset revaluations before year-end and identifying and seeking resolution of potential accounting issues.
Forty out of 72 controlled entities that submitted financial statements improved the timeliness of finalisation of their audits this year.
Implementation of new accounting standards
A new accounting standard, AASB 9 ‘Financial Instruments’, changed how universities report income on their investments in 2018
All NSW universities implemented AASB 9 'Financial Instruments' in 2018, which changed the treatment and classification of some (fair value through profit or loss) investments. Previously, changes in the value of some investments were recognised in the statement of financial position and only recognised in the income statement when the gain or loss was realised. Under the new standard, changes in the value of investments designated as fair value through profit or loss are recorded directly in the income statement, whether the gains or losses are realised or not.
The change in the accounting standard was largely responsible for investments designated as fair value through profit or loss increasing to $3.2 billion in 2018 ($1.7 billion in 2017).
The following graph shows the change in proportion of investments now classified as 'fair value through profit or loss' following the implementation of AASB 9.
The total value of all categories of investments increased by $627 million (17.3 per cent) to $4.2 billion in 2018. The increase comprised $376 million of net investment purchases and $251 million in realised and unrealised gains.
Three universities (eight in 2017) have not quantified the impact of new accounting standards
The Australian Accounting Standards require entities to assess, and where possible, quantify the impact of new accounting standards that have been issued but are not yet effective.
The following new accounting standards have been issued by the Australian Accounting Standards Board.
Accounting standard | Date effective |
---|---|
AASB 15 Revenue from Contracts with Customers |
For not-for-profit entities, annual periods beginning on or after 1 January 2019 |
AASB 16 Leases | Annual periods beginning on or after 1 January 2019 |
AASB 1058 Income of Not-for-Profit Entities | Annual periods beginning on or after 1 January 2019 |
AASB 1059 Service Concession Arrangements: Grantors |
Annual periods beginning on or after 1 January 2020 |
Although three of these standards apply from 1 January 2019, universities are in varying stages of readiness to comply with them. These three standards involve fundamental and significant changes to accounting treatments.
Universities that have not adequately prepared for the implementation of these major accounting standards may have difficulty extracting the information required to ensure their 2019 financial statements are fairly stated in accordance with the new standards.
The universities’ preparedness to implement the new accounting standards varies as below:
- 6 universities are in the process of updating required relevant records such as a register of contracts.
- 8 universities have started working on the potential impact of the new leases standard.
- 7 universities have commenced documenting an implementation plan for the new revenue standards.
- 3 universities have not extended their impact assessment to their controlled entities.
- 3 universities have not disclosed the potential impact of the new revenue standards in their 2018 financial statements.
2.2 Financial performance
Results from operations
The graph below presents the income and expenditure for each university in 2018.
Sources of revenue from operations
NSW universities are responding to the capping of the Australian Government's Commonwealth Grant Scheme (CGS) funding
Over the past six years, various higher education reforms have been proposed by the Australian Government to manage the cost of tertiary education. CGS funding for domestic undergraduate courses for 2018 and 2019 has been capped at the 2017 funding level. In the Mid-Year Economic Fiscal Outlook 2017–18, the Australian Government proposed making funding increases for 2020 contingent on universities meeting certain performance measures.
The NSW universities estimate the funding cap will reduce the revenues they might have expected from Australian Government grants by up to $430 million over the next four years, a decrease of approximately 3.1 per cent per year. Over the last five years, overall the income stream recording the strongest growth is fees and charges.
The graph below presents the aggregated income streams for all NSW universities from 2014 to 2018.
The extent to which individual universities have been able to reduce their reliance on grant funding by reducing costs and maximising alternate revenue streams has varied.
Government grants as a proportion of total income has decreased over the past five years
Total government grants for NSW universities has increased by $220 million over the past five years to $3.5 billion in 2018. The major components of NSW universities' total income over the past five years are detailed below.
Source: University financial statements (audited).
The following graph shows major income streams for individual universities for 2018.
Source: University financial statements (audited).
Two regional universities are relatively more dependent on government grants, which represent over 45 per cent of their total incomes (two universities in 2017).
In response to the CGS funding cap, most universities increased student revenue through targeted student recruitment campaigns, broadening their geographic focus, and offering more courses overseas.
In the current year, the change in income from government grants at individual universities varied from a decrease of 1.7 per cent to an increase of 3.6 per cent. Between 2014 and 2018, income from government grants increased by 6.6 per cent.
Total revenue from fees and charges, including Higher Education Loan Programs, increased by 8.8 per cent in 2018 from last year. Two universities experienced a growth in revenue from fees and charges of more than 15 per cent over that time. Over the past five years, revenue from fees and charges increased by 49.3 per cent.
The graph below shows the growth in fees and charges revenue by university over the past five years.
Source: University financial statements (audited).
Course fee revenue from overseas students is growing faster than fees from domestic students
NSW universities' total course fee revenue from overseas students continued to grow and exceed the total course fee revenue from domestic students in 2018 by 54.5 per cent. The increase is due to growth in both the numbers of overseas students and the fees from courses in which they are enrolled.
Overseas student course fees increased for all NSW universities in 2018 and now represents 30.2 per cent of the combined total revenue (28.1 per cent in 2017). The dollar value increased by $412 million (14.6 per cent) from the previous year to $3.2 billion in 2018.
Total revenue from domestic students increased by $31.7 million (1.5 per cent) in 2018. The lower growth rate in fees from domestic student revenue is consistent with the Australian Department of Education and Training’s approved fee increases for Commonwealth Supported Places.
NSW universities' overseas and domestic student course fee revenue for 2014 to 2018 is presented in the following graph.
Source: University financial statements (audited).
The graph below shows individual universities' revenue in 2018 from overseas and domestic students. For the two largest universities, the income from overseas students exceeds income from domestic students.
Source: University financial statements (audited).
Thirty-eight per cent of NSW universities' total student revenues came from overseas students from three countries
In 2018, overseas students contributed $3.2 billion in course fees to the NSW university sector. Students from the top three countries of origin contributed $2.0 billion in fees, which is equivalent to the NSW universities' total revenue from domestic students for 2018. Revenue from students from these three countries comprised 38.4 per cent of total student revenues for all NSW universities and 63.4 per cent of total overseas student revenues in 2018.
The universities that are most dependent on revenue from students from those countries are at risk if demand shifts unexpectedly because of changes in political policy, economic conditions or visa requirements.
The graph below shows NSW universities' revenue in 2018 from overseas and domestic student fees.
The countries of origin of overseas students enrolled at NSW universities are set out below. All universities continue to market their educational products in international markets, focussing on countries in Asia. While the countries of origin of overseas students have diversified, a concentration risk remains. Over 43 per cent of all overseas students attending NSW universities come from China, but not all universities are dependent on students from China. Enrolments of students from India and Nepal have increased. Four universities receive the greatest proportion of fees from overseas students from these countries.
Six universities increased their proportion of revenue from overseas students from a single country in 2018
The highest proportion of overseas student revenue sourced from a single country at individual NSW universities ranged from 24 to 74 per cent (2017: 19 per cent to 72 per cent). The graph below illustrates the relative reliance of each NSW university on a single country for their overseas student revenue.
- This graph shows revenue from overseas students enrolled in bachelor or higher degrees at the parent university.
- The movement in proportion of overseas student revenue from 2017 is shown in percentage points.
Total research income for NSW universities was $1.1 billion in 2017
NSW universities' total research income increased by $119 million (11.7 per cent) in the four years between 2013 and 2017 from $1.0 billion to $1.1 billion. Research income statistics for 2018 will be available from the Australian Department of Education and Training after July 2019.
Two universities attracted 65.4 per cent of the total research income of all NSW universities as shown in the graph below.
NSW universities started preparing to apply new criteria for research grants
The Australian Research Council announced the introduction of the 'national interest test' in November 2018. This will require researchers to outline how their research project will advance the interests of Australia. Earlier in 2018, the Australian Education Minister rejected $4.1 million in recommended Australian Research Council research grants.
NSW universities plan to build on existing strategies and processes to address the new 'national interest test' when applying for Australian Research Council grants from 2019 onward.
Other revenues
Two universities attracted over 69 per cent of philanthropic contributions to NSW universities in 2018
NSW universities and many of their controlled entities are charities and are registered deductible gift recipients for taxation purposes. They can attract significant donations and bequests from public, private and corporate philanthropists.
Two universities attracted 69.3 per cent of the total philanthropic contributions to the NSW universities in 2018. The newer, smaller universities and non-metropolitan universities have been least able to attract donations.
The graph below presents the donations revenue received by each of the NSW universities in 2018.
Operating expenditure
Managing expenditure and optimising cost efficiencies is important for NSW universities to operate in a more competitive environment with less direct government support in the form of grants.
We have defined operating expenditure in this report as total expenses excluding interest, tax, depreciation, amortisation and loss on disposal of assets. Operating revenue is defined as total revenue excluding investment income, donations and gains on disposal of assets. One EFTSL is an equivalent full-time study load for one year.
The graph below shows key components of operating expenditure, and the percentage increase on the previous year, over the past five years for NSW universities.
Source: University financial statements (audited).
Combined total operating expenditure for NSW universities increased to $9.5 billion in 2018 ($8.6 billion in 2017), a rise of 9.8 per cent. During this same period, the total EFTSL increased to 284,609 from 280,023, an increase of 1.6 per cent.
Across the board, employee-related expenses at universities is a significant contributor to total operating expenditure and has grown by 8.1 per cent in 2018 from last year.
The growth in full-time equivalent (FTE) employees has been greater in casual and temporary staff than permanent full-time staff at five universities in 2018. This shift in the structure of the workforce may allow more flexibility to deliver services and manage labour costs.
Over the last year, the average increase in scholarships and grant expenses grew by 19.5 per cent. Other operating expenses grew by 11.3 per cent.
The graph below shows the key components of operating expenditure for each university in 2018.
Source: University financial statements (audited).
Employee-related expenses represent the major portion of expenses at each university and ranged from 54 per cent to 64.9 per cent of the total operating expenditure.
Average operating expenditure per equivalent full-time student load increased in 2018
The rate of increase in operating expenditure in 2018 of 9.8 per cent has exceeded the rate of increase in operating revenue of 7.3 per cent.
In 2018, NSW universities incurred average operating expenditure of $32,737 ($30,743 in 2017) for every EFTSL, an increase of 6.5 per cent.
The margin between average operating revenue and average operating expenditure per EFTSL has decreased from $3,533 in 2017 to $2,919 in 2018 (17.4 per cent).
The graph below compares the margin between average operating revenue per EFTSL, average operating expenditure per EFTSL, and total EFTSL for each NSW university.
Source: Operating expenditure and operating revenue are based on university financial statements (audited). EFTSL numbers are provided by universities (unaudited).
Smaller operating margins reduce the funds available to invest in upgrading infrastructure, repay loans, or implement corporate strategies to meet future challenges. If operating margins are not sufficient, universities would need to draw upon non-operating revenue, such as investment income, donations or gains on disposal of assets, which may fluctuate year to year.
Operating margin percentage
A university's operating margin percentage is its operating result divided by operating revenue. Operating result is operating revenue minus operating expenditure. We have defined the components of operating revenue and operating expenditure earlier in this report.
For eight universities, the operating margin percentage change was negative in 2018. For most of these universities, the decrease was due to the higher employee-related expenses. The risk associated with narrowing operating margins is compounded where universities have a high reliance on student revenues from a single source. Sudden changes in demand can challenge the ability of those universities to adjust their cost structures.
The operating margin for each NSW university in 2018 is shown below. This graph may be read in conjunction with the graph on 'Net results by university for 2018' in section 2.1, showing net results for comparison.
- Operating margin is calculated as: (operating revenue less operating expenditure) divided by operating revenue. Operating revenue excludes donations, investment income and gain on disposal of assets. Operating expenditure excludes interest, tax, depreciation, amortisation and loss on disposal of assets.
- The movement in operating margin from 2017 is shown in the labels.
Current ratio
Nine universities had current ratios greater than one in 2018
The current ratio is a liquidity measure which indicates an entity's ability to meet short-term obligations as and when they fall due. A ratio of less than one indicates that current liabilities exceed current assets.
High current ratios mean individual universities may have opportunities to utilise surplus cash to optimise their income from investments. Low current ratios mean those universities need to actively manage their cash to meet current obligations.
The current ratio for each NSW university for 2018 is shown below.
- Current ratio is calculated as: current assets divided by current liabilities (excluding provisions expected to be settled more than 12 months after year end).
- The movement in current ratio from 2017 is shown in the labels.
At 31 December 2018, one university (two universities in 2017) had a current ratio of less than one. This university has sources of funds for its short-term cash requirements through access to an unused bank loan facility.
Drawing down debt increases borrowings and the cost of that debts needs to be serviced from annual revenues, which narrows operating margins. Where debt is used to pay debt, and borrowings increase on an ongoing basis, it can threaten an organisation's financial sustainability.
Controlled entities
Overall, NSW universities' controlled entities contributed $32.8 million to the sector in 2018
While some universities have started to streamline and reduce the number of their controlled entities to reduce administrative and compliance costs, others have established new entities to expand their operations overseas or commence new business activities. There were five new controlled entities this year overall.
Out of 74 controlled entities, 33 entities reported losses in 2018 (16 in 2017). There were 12 dormant entities in 2018, including corporate trustees that do not trade and entities that have ceased to operate due to business rationalisation.
The NSW universities' controlled entities contributed $32.8 million to the sector's financial result in 2018 ($110 million in 2017). Their financial performance was impacted by restructures, lower enrolments in pathway studies, and lower investment performance.
Twenty-five of the NSW universities' controlled entities required letters of financial support from their parent in 2018 (18 in 2017).
The table below details the number of NSW universities' controlled entities.
University at 31 December 2018 | Total number of controlled entities | Number of dormant entities | Number of overseas controlled entities |
Charles Sturt University | 2 | -- | -- |
Macquarie University | 15 | 7 | 1 |
Southern Cross University | 1 | -- | -- |
University of New England | 5 | -- | -- |
University of NSW | 18 | 1 | 9 |
University of Newcastle | 2 | -- | 1 |
University of Sydney | 7 | -- | 1 |
University of Technology Sydney | 8 | -- | 3 |
University of Wollongong | 9 | 2 | 3 |
Western Sydney University | 7 | 2 | -- |
Total | 74 | 12 | 18 |
Of the six universities with overseas controlled entities, one university has formalised governance arrangements for oversighting its controlled entities’ compliance with overseas legislative requirements and the parent university's policies.
Five universities’ overseas controlled entities do not as yet have their own compliance framework or registers.
Without adequate monitoring of compliance risks, the universities may be exposed to regulatory breaches that may impact their reputation or ability to operate overseas.
3. Internal controls and governance
Appropriate and robust internal controls help reduce risks associated with managing finances, compliance and administration of NSW universities.
This chapter outlines the internal controls related observations and insights across NSW universities for 2018, including overall trends in findings, level of risk and implications.
Our audits do not review all aspects of internal controls and governance every year. The more significant issues and risks are included in this chapter. These along with the less significant ones are reported to universities for them to address.
3.1 Internal controls
Internal control findings
Most of the internal control deficiencies identified relate to information technology controls
The audits identified 99 internal control deficiencies (83 in 2017) at NSW universities, of which 51 related to information technology (IT). Universities increasingly rely on IT for financial reporting, student administration, teaching and research, and for efficient and effective delivery of services.
The graphs below describe the spread of management letter findings by risk rating across four key areas.
The table below shows the level of risks on the management letter findings by university for 2018.
Management letter findings 2018 | ||||
University | High | Moderate | Low | Repeat |
Charles Sturt University | 1 | 3 | -- | 1 |
Macquarie University | -- | 9 | 4 | 6 |
Southern Cross University | -- | 10 | -- | 2 |
University of New England | -- | 7 | 4 | 5 |
University of New South Wales | -- | 6 | 5 | 2 |
University of Newcastle | -- | 4 | 7 | 3 |
University of Sydney | -- | 2 | 7 | 2 |
University of Technology Sydney | -- | 2 | 5 | 7 |
University of Wollongong | -- | 9 | 8 | 8 |
Western Sydney University | -- | 2 | 4 | 2 |
We identified one high-risk deficiency relating to IT
The high-risk finding related to ineffective or absent controls to restrict access to sensitive data maintained by the university. We extended our audit procedures and concluded that the control deficiency did not present a risk of material misstatement to the university's financial statements. The university has agreed to explore how the deficiency can be efficiently addressed by implementing new controls.
We identified 54 moderate risk findings, of which 35 related to IT
A summary of moderate risk control deficiencies identified in 2018 is set out below.
Areas | No. of moderate risk control deficiencies | Summary of control deficiencies |
---|---|---|
Information technology | 35 | IT control deficiencies included:
Poor IT controls increase the risk of inappropriate access, cyber security attacks, data manipulation and misuse of information and assets. |
Financial controls | 10 | Financial control deficiencies included:
|
Policies and procedures | 5 | Deficiencies around policies and procedures included:
|
Financial reporting | 4 | Fnancial reporting deficiencies included:
|
Total | 54 |
Thirty-eight findings were raised in previous years
There were 38 repeat findings (24 in 2017) identified in 2018. Repeat findings arise when the university has not implemented recommendations from previous audits. Twenty-eight repeat findings related to IT control deficiencies. Universities have agreed to prepare implementation plans to address these repeat issues.
IT issues can take some time to rectify because specialist skill and/or partnering with software suppliers is required to implement appropriate controls. Changes to complex systems or IT architecture may involve extensive testing and assessment before they are put into production. However, until rectified, the vulnerabilities those control deficiencies present can be significant.
The graph below shows the spread of repeat findings by area of focus and risk rating.
Performance reporting
Five universities do not have formal processes to internally review and validate the performance information in their annual reports
Annual reporting by the universities is one of the key elements of a good governance framework. Making timely and accurate disclosures is an integral part of the universities' corporate responsibility.
While there is generally a review by the University Council or Vice Chancellor, and some universities internally validate the performance information they publish in their annual reports, we found five universities had not implemented any formal assurance processes to review the accuracy and validity of that performance information.
Two universities engaged their internal auditors to provide assurance on the validity and accuracy of their reported performance metrics.
Six universities have documented policies and procedures to support consistent and reliable collection of performance information for the annual report. However, these did not all include a methodology for review and validation of the information.
3.2 Information technology
Cyber security
Cyber threats are becoming increasingly common and sophisticated as global interconnectivity between computer networks has increased.
Cyber security comprises technologies, processes and controls that are designed to protect IT systems and data from cyber attacks. The cyber security framework consists of identification, protection, detection, response and recovery of IT systems.
Cyber incidents can harm universities' service delivery and may involve:
- theft of information such as intellectual property or personal data
- denial of access to critical technology
- hijacking of systems for profit or malicious intent
- financial loss.
Three universities are still developing their strategy to safeguard against cyber security risks
The trend in common cyber security issues identified at NSW universities is detailed below.
Cyber security issue | Number of universities in 2018 | Number of universities in 2017 | Trend |
---|---|---|---|
Implemented a cyber risk policy | 9 | 9 | |
Maintained a cyber incidents register | 7 | 5 | |
Assessed the potential financial and/or operational impact of cyber attacks | 7 | 7 | |
Established a recovery plan following a cyber attack | 8 | 7 | |
Staff are formally trained in cyber awareness | 6 | 2 | |
Tested cyber resilience in the past three years | 8 | 6 |
The number of cyber incidents recorded in 2018 by the seven universities ranged from one to 286. Three universities did not record any incidents.
The disparity in the number of recorded incidents is because:
- there are different definitions of what a 'cyber incident' is
- some registers include intercepted or blocked attempts by cyber actors, while others do not.
Universities incurred costs of approximately $24.2 million in managing cyber security in 2018.
Some universities have identified the source of various cyber attacks, most of which come from overseas. The table below details the types of cyber attack with commonly occurring countries of origin.
Type of cyber attack | Common countries |
---|---|
Compromised accounts from phishing | India, Indonesia, Lagos, Nigeria, United Arab Emirates, United States |
Credential stuffing | Brazil, China, Egypt, South Korea |
Denial of service | China, Netherlands, Russia |
Exploits | Australia, Netherlands, United States |
Malware | Australia, China, United States |
Network reconnaissance | Australia, China, France |
Phishing | Lagos, Nigeria, United Arab Emirates |
The Australian Cyber Security Centre (ACSC) has published mitigation strategies and recommended controls for protecting against cyber threats. This set of controls is referred to as the 'Essential Eight'. Whilst universities are not required to adopt these controls, some aspects of the Essential Eight have been implemented at some NSW universities.
ACSC Essential Eight mitigation strategies | Number of universities applying mitigation |
---|---|
1. Application whitelisting All non-approved applications (including malicious code) are prevented from executing. |
4 |
2. Check and apply security patches Security vulnerabilities in applications can be used to execute malicious code on systems. |
8 |
3. Configure Microsoft Office macro settings Microsoft Office macros can be used to deliver and execute malicious code on systems. |
6 |
4. User application hardening Flash, ads and Java are popular ways to deliver and execute malicious code on systems. |
3 |
5. Restrict / review administrative privileges Administrative user accounts have extensive access to systems and may be compromised. |
9 |
6. Patch operating systems Security vulnerabilities in operating systems can be used to further the compromise of systems. |
10 |
7. Multifactor authentication Stronger user authentication makes it harder for external parties to access sensitive information and systems. |
5 |
8. Daily backups and test for restoration Ensure information can be accessed again following a cyber security incident. |
7 |
Our 2018 performance audit report on Detecting and Responding to Cyber Security Incidents includes several findings that may be useful for universities to enhance their controls around cyber security risks.
Management of IT vendors and service providers
All universities have IT vendor contracts for major systems and business applications such as finance, student management, payroll and procurement.
Some universities contracted the delivery and maintenance of certain IT services to external providers. These services include:
- communications software
- network infrastructure
- data warehouse facilities
- website hosting and support.
Five universities do not have a formal vendor management framework or policy
Universities manage their IT service providers through a general contract management framework or an IT vendor framework or specific IT vendor contract management plans.
Universities can improve vendor contract management practices
Significant gaps in the NSW universities' contract management were identified as noted below.
Data breach management
Universities maintain various types of sensitive data that are covered by privacy legislation or confidentiality agreements, such as personal information, academic records, and intellectual property.
The Privacy and Personal Information Protection Act 1998 (NSW) requires universities to abide by principles that cover the security of personal information and restrictions on use and disclosure of that information.
In addition, NSW universities teaching students from European Union countries are required to comply with the European Union's General Data Protection Regulation (GDPR) which commenced on 25 May 2018.
NSW universities may be exposed to risks from data breaches resulting in:
- risk to students and or employees' safety or identity theft
- financial loss to an individual or the university
- loss of intellectual property or commercially sensitive data
- reputational damage and loss of public trust for the university.
Three universities have not developed formal policies on data breach management
Three NSW universities have not analysed the risks of data breach management and have not developed a formal policy on data breach management.
The same three universities have not implemented staff training on data protection and breach management.
The Office of the Australian Information Commissioner (OAIC) and the NSW Information and Privacy Commission (IPC) have published guidance and resources for developing plans and policies to comply with privacy laws and voluntary data breach reporting requirements.
The OAIC recommends a data breach response plan should include:
- clear definition of what constitutes a breach
- a strategy for containing, assessing and managing data breaches
- roles and responsibilities of staff
- notification and reporting procedures to internal and external bodies.
Seven universities maintain a register of data breaches or incidents
Seven universities recorded and reported the number of data breach incidents in 2018 that ranged from nil to eight. The cause of data breaches was generally from human error, system fault, or malicious attack. The universities that recorded less incidents did not have formal policies on data breach management and had less consistent reporting practices.
Only two universities maintain a register of data that is managed by third party service providers. Universities that have not assessed the data held by their service providers may be at greater risk of data breaches.
4. Teaching and research
Universities' primary objectives are teaching and research. They invest most of their resources to achieve quality outcomes in academia and student experience. Universities have committed to achieving certain government targets and compete to advance their reputation and international and Australian rankings.
This chapter outlines teaching and research outcomes for NSW universities for 2018.
4.1 Teaching outcomes
Graduate employment rates
NSW universities' 2018 graduate employment outcomes improved from last year
Universities assess the employment outcomes of their graduates by using data published by surveys conducted by the Australian Department of Education and Training's providers.
According to the 2018 survey, eight out of ten NSW universities (seven in 2017) exceeded the national average of 72.9 per cent for full-time employment rates of their undergraduates. This index increased from 71.8 per cent in 2017 and includes employment outcomes from other tertiary education institutions such as TAFE and colleges that provide other vocational education and training qualifications.
Seven universities (four in 2017) performed better than the national average of 86.9 per cent for full-time employment outcomes of their postgraduates. The postgraduate national average increased from 86.1 per cent from 2017.
The graph below presents the results of the 2018 survey.
Student enrolments by field of education
Enrolments at NSW universities increased the most in IT, Engineering and Related Technologies and Society and Culture courses
The highest increases in student enrolments at NSW universities were in:
- IT, Engineering and Related Technologies courses, with an additional 4,840 equivalent full-time students from 2017 (11.9 per cent)
- Society and Culture courses, with an additional 6,462 equivalent full-time students from 2017 (10.5 per cent).
The graph below shows the movement in student enrolments by field of education.
Source: Provided by universities (unaudited).
The increase in Society and Culture enrolments was due to additional course offerings and overall student load increase in proportionally larger faculties such as Language, Law and Social Science.
The increase in IT, Engineering and Related Technologies enrolments was due to growing demand particularly from overseas students. It is also a reported skills shortage in NSW, based on the Australian Department of Jobs and Small Business.
Achieving diversity outcomes
In 2009, the Australian Government set a target for 20 per cent of university undergraduate enrolments to be students from low socio-economic status (SES) backgrounds by 2020.
In March 2017, all Australian universities committed to achieving growth rates for enrolments of Aboriginal or Torres Strait Islander students to exceed the growth rate of enrolments of non-indigenous students by at least 50 per cent.
The 2017 results for NSW universities showed:
- five universities (five in 2016) achieved enrolments of more than 20 per cent of domestic undergraduate students from low SES
- seven universities achieved the target growth rate for enrolments of students from Aboriginal and Torres Strait Islander backgrounds (no target in 2016).
Enrolment statistics for 2018 are expected to be available from the Australian Department of Education and Training after July 2019.
NSW universities can continue to improve outcomes for these students by consistently setting targets, tracking achievement against those targets, implementing policies to increase enrolments and supporting students to graduation.
Six universities increased enrolments of students from low SES backgrounds from 2016
NSW universities reported increases in the number of low SES domestic undergraduate student enrolments of one per cent to 39,923 in 2017. Overall student enrolments in NSW increased three per cent in the same period. As the growth in overall students exceeded the growth in low SES students, the target is less likely to be achieved.
Actual enrolments of domestic undergraduate students from low SES backgrounds in 2017 for NSW universities as a percentage of total domestic undergraduate students are shown in the table below.
Nine universities had increased enrolments of students from Aboriginal and Torres Strait Islander backgrounds from 2016
NSW universities increased the overall number of indigenous student enrolments by 484 to 6,256, a growth of 8.4 per cent in 2017. Charles Sturt University, whilst showing decreased enrolments in 2017, had the highest number of indigenous students of the ten NSW universities.
The indigenous student enrolment growth rate for 2017 by university is shown below. The target growth rate is greater than 50 per cent of the growth rate for enrolment of non-indigenous students of 4.5 per cent in the same year.