Report Highlights
What this report is about
Results of the financial statement audits of the public universities in NSW for the year ended 31 December 2022.
What we found
Unmodified audit opinions were issued for all ten universities.
Nine universities reported net deficits in 2022, and all showed a decline from their 2021 results.
Results were impacted by a decline in investment income and government grants.
Wage remediation provisions across the universities increased by 116% to $110 million at 31 December 2022.
Expenditure increased as universities transitioned back to face-to-face teaching with the lifting of most COVID-19 restrictions.
Revenue from overseas students decreased by 0.5% overall in 2022, although not all universities were impacted equally.
Nearly 42% of fees and charges revenue came from overseas student revenue from three countries of origin (43% in 2021).
What the key issues were
We reported 88 findings to universities on internal control deficiencies (105 in 2021).
Six high risk findings were identified (four in 2021), relating to:
- IT control deficiencies in monitoring privileged user access
- password configuration
- cyber security process improvements
- lack of security over access to EFT payment files
- the status of a university's work in assessing its liability for underpayment of staff
- inadequate review of contracts leading to incorrect accounting treatments.
Two out of 13 entities reported financial losses from cyber incidents in 2022.
Retention policies on personally identifiable information (PII) vary and universities can further reduce their PII exposure risk from cyber attack.
What we recommended
Universities should:
- conduct a comprehensive assessment of their employment agreements and historical pay practices to identify potential underpayments
- prioritise actions to address repeat findings on internal control deficiencies in a timely manner
- review their PII retention policies to ensure PII stored is limited to the entity's needs, held only for the minimum duration it is legally and operationally required, and access is strictly limited.
Fast facts
1. Introduction
This report provides Parliament with the results of our financial audits of universities in New South Wales and their controlled entities in 2022, including our analysis, observations and recommendations in the following areas:
- financial reporting
- internal controls and governance
- teaching and research.
1.1 Snapshot of NSW universities
** Equivalent Full-Time Student Load (EFTSL) represents the equivalent full-time study load for one year. Note: EFTSL enrolments for 2020 were 289,667, and for 2021 were 291,412 (adjusted from 2021 report due to late clarification of numbers).
*** Full-Time Equivalent (FTE).
Source: Student and staff numbers are provided by universities (unaudited).
2. Financial reporting
Financial reporting is an important element of good governance. Confidence and transparency in university sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines our audit observations related to the financial reporting of universities in NSW for 2022.
Section highlights
|
2.1 Quality of financial reporting
Audit results
Unmodified audit opinions were issued for all universities
Unmodified audit opinions were issued on all ten universities' 31 December 2022 financial statements. Sufficient and appropriate audit evidence was obtained to conclude the financial statements were free of material misstatement.
Unmodified audit opinions were issued for 50 of 74 university controlled entities
Of the 74 university controlled entities in 2022:
- 50 received unmodified audit opinions
- 23 entities were relieved from the Government Sector Finance Act 2018 (GSF Act) reporting requirements
- the audit of one entity is still in progress.
Division 2 of the Government Sector Finance Regulation 2018 excludes certain entities from having to prepare financial statements under the GSF Act if all of the following criteria are met:
- the assets, liabilities, income, expenses, commitments and contingent liabilities of the entity are each less than $5 million
- the total cash or cash equivalents held by the entity is less than $2.5 million
- at least 95% of the entity’s income is derived from money paid out of the Consolidated Fund or from money provided by other relevant agencies
- the entity does not administer legislation for a minister by or under which members of the public are regulated.
These exclusions meant 23 university controlled entities were exempted from GSF Act reporting requirements in 2022 (22 in 2021). Entities that are exempted from financial reporting obligations are not audited by the Auditor-General.
The number of identified monetary misstatements decreased in 2022
The number of monetary misstatements identified during the audits of universities' financial statements decreased from 38 in 2021 to 27 in 2022. A monetary misstatement is an error in amount recognised in the financial statements initially submitted for audit.
Reported corrected misstatements decreased from 20 in 2021 to 19 with a gross value of $173 million in 2022. Reported uncorrected misstatements decreased from 18 in 2021 to eight with a gross value of $18.4 million in 2022.
The table below shows the number and quantum of monetary misstatements for the past two years.
Year ended 31 December | 2022 | 2021 | ||
Corrected misstatements | Uncorrected misstatements | Corrected misstatements | Uncorrected misstatements | |
Less than $50,000 | 2 | 0 | 0 | 0 |
$50,000 to $249,999 | 3 | 0 | 0 | 4 |
$250,000 to $999,999 | 2 | 5 | 4 | 6 |
$1 million to $4,999,999 | 4 | 1 | 6 | 7 |
$5 million and greater | 8 | 2 | 10 | 1 |
Total number of misstatements | 19 | 8 | 20 | 18 |
Of the 19 corrected monetary misstatements in 2022, eight had a gross value of greater than $5 million and related to the following:
University | Description of corrected misstatements > $5 million |
University of New England | The university misclassified $8.7 million of intangible assets within property, plant and equipment. |
University of New South Wales | The university identified additional assets and liabilities of $15.8 million and $57 million respectively, that were not fully quantified prior to submitting the financial statements for audit. |
University of Newcastle | The university had overstated both accrued expenses and prepayments by $9.7 million. |
University of Sydney | The university misclassified $15 million of employee provisions as payables. |
Western Sydney University |
The university:
|
Of the eight uncorrected monetary misstatements in 2022, two had a gross value of greater than $5 million, which comprise the following:
University | Description of uncorrected misstatements > $5 million |
University of Sydney | The net value of investments was understated by $8.5 million. The value of these investments was verified by audit through external confirmations that were not available when management prepared the financial statements. |
University of Wollongong |
There is a judgemental difference in accounting treatment for an investment in an associate. As a result, other financial assets are overstated by $5.2 million. The University currently recognises its 23.6% ownership of the total shares in an entity as a financial investment but has not undertaken a formal assessment of the appropriate accounting for its interest under AASB 128 'Investments in Associates and Joint Ventures'. In the absence of that assessment, there is no basis to support recognition of the carrying value of the investment. |
2.2 Timeliness of financial reporting
All but one university's controlled entity met the statutory timeframe for submitting draft financial statements for audit
All ten universities met the reporting deadlines for submitting their 2022 financial statements. One of the University of New England's controlled entities submitted its draft financial statements six days late.
The Treasurer's Direction TD 21-03 'Submission of Annual GSF Financial Statements to the Auditor-General' issued on 16 June 2021 requires GSF agencies to submit their draft financial statements for audit within six weeks following the end of the annual reporting period concerned.
The Government Sector Audit Act 1983 does not specify the statutory deadline for issuing the audit reports. At the date of this report, the audit of one university controlled entity's financial statements is ongoing.
Our audit opinions on universities' financial statements for 2022 were issued between 23 March 2023 and 26 April 2023. Audit completion dates are presented in the following diagram.
Source: Independent Auditor's Reports issued by the Audit Office.
2.3 Common accounting issues
Wage remediation provisions increased by 116% in 2022
Complexity in enterprise agreements and inconsistent interpretation of the terms within those agreements has meant that for several years, universities have both over and underpaid certain staff. NSW universities have recorded provisions of $110 million in aggregate at 31 December 2022 ($50.8 million in 2021) relating to these historical underpayments of staff wages and entitlements. While conducting reviews of their compliance with enterprise agreements, six universities identified new categories of underpayments during 2022, which has contributed to the increase. These new categories of underpayments are estimated to impact at least 2,100 employees across the sector.
Universities have collectively remediated $27.9 million during the year to staff identified as having been underpaid. The balance at 31 December 2022 represents estimates of amounts still owing or likely to be owing to staff the universities have identified as being at risk of having been underpaid.
Four universities reported they have implemented procedures to mitigate the risk of future staff underpayments, while six universities have commenced these procedures which are still in progress.
RecommendationUniversities should conduct a comprehensive assessment of their employment agreements and historical pay practices to identify potential underpayments. The review should include consideration of:
|
2.4 Impacts of COVID-19
The COVID-19 pandemic continued to affect the NSW university sector in 2022. Total overseas student enrolments decreased again in 2022 and affected universities' revenue from course fees and charges. Meanwhile, as most COVID-19 restrictions were removed, universities started to return to on-campus teaching and working while still maintaining hybrid/digital modes of operation which contributed to increased expenditure for travel, use of consultants and repairs and maintenance (refer to section 2.5 for further details). Asset utilisation rates increased accordingly, as did student accommodation rates.
There was also a shift in modes of learning where metropolitan universities reduced the number of courses they delivered digitally in 2022 while regional universities increased theirs (refer to section 4.1 for further details).
The ongoing impact of COVID-19 on overseas student numbers has not affected universities equally
Overseas student enrolments by equivalent full-time student load (EFTSL) decreased overall by 1.2% since 2021. However, four universities increased their overseas student enrolments, which increased their overseas student revenue.
Combined domestic student enrolments by EFTSL decreased by 5.3%, with only one university experiencing a small increase in domestic students.
The graph below shows the movement in student enrolments (EFTSL) between 2022 and 2021.
Source: Provided by universities (unaudited).
Only one university identified surplus land and building assets
With the lifting of COVID-19 restrictions in 2022 and a transition back to face-to-face teaching, universities have experienced increased usage of physical campus buildings and student accommodation. One university, the University of Newcastle, identified land and building assets that were surplus to requirements in 2022. These comprised of teaching, accommodation and mixed-use spaces.
Student accommodation rates return to pre-pandemic levels
Universities that own student accommodation buildings have experienced a significant increase in the average occupancy rate from 43% in 2021 to 74% in 2022. This is on par with the occupancy rate of 74% in 2019 before the onset of the COVID-19 pandemic. Accordingly, revenue from student accommodation this year has increased 87.3% to a total of $109 million.
In October 2022, the Tertiary Education Quality and Standards Agency mandated that overseas students must return to face-to-face learning by 30 June 2023, in a return to compliance with Education Services for Overseas National Code. The National Code was relaxed during 2020 and 2021 due the COVID-19 pandemic and allowed flexibility for overseas students to study in Australia or offshore. At the same time, the Department of Home Affairs stipulated that restricted work rights for student visa holders will be reinstated on 1 July 2023 so that student visa holders will only be allowed to work up to 48 hours a fortnight. The previous work restrictions of 40 hours a fortnight were lifted during the COVID-19 pandemic to address labour shortages.
In January 2023, China issued an edict requiring students studying with a foreign university online to return to in-person classes.
These factors will drive an increase in overseas students returning to Australia for their studies, increasing demand for student accommodation.
2.5 Financial performance
Financial results
Universities' net results have declined in 2022
Only one NSW university reported a positive net result in 2022 (ten in 2021). All universities' net results declined from 2021.
The graph below shows the net results of individual universities for 2022 and 2021. As in last year's report, the 2021 results were adjusted to exclude the impact of the Education Australia Limited (EAL) transaction for comparability across universities. Consequently, one university that had reported a positive net result is shown as a negative adjusted net result.
Due to outliers in net results, the above two graphs show the same information: an overall picture is presented on the left-hand side, and a detailed picture on the right-hand side on a smaller scale.
Source: Universities' consolidated financial statements (audited).
Key drivers behind the 2022 results were:
- decline in combined investment income by 108%, with six universities experiencing overall investment losses in 2022
- reduced government grants for nine universities
- continued decrease in overseas student revenue for six universities
- increased combined employee related expenses of 4.9%, which include $73.1 million in remediation of wages.
The graph below presents the revenue and expenditure for each university in 2022.
The movement in revenue and expenditure for each university and for the sector as a whole is analysed later in this report.
Revenue from operations
A snapshot of the universities' revenue for the year ended 31 December 2022 is shown below.
Source: Universities' consolidated financial statements (audited).
2021 revenue has been adjusted to exclude the impact of EAL transactions in investment income.
Percentages above have been rounded to the nearest whole number.
Source: Universities' consolidated financial statements (audited).
Combined revenue for universities totalled $11.1 billion in 2022, representing a decrease of $1 billion (9.5%) from 2021 (using adjusted 2021 revenue to exclude the impact of Education Australia Limited (EAL) transactions). The decrease was mainly due to a $782 million reduction in combined investment income, resulting in overall investment losses, and decreased government grants of $246 million. As a relative proportion of total revenue, fees and charges have returned to representing over half of universities' total revenue as they did in 2020 and prior years.
Government grants represented 35% of universities' combined revenue in 2022
Aggregated government grants revenue to NSW universities decreased from $4.1 billion in 2021 to $3.9 billion in 2022. As a proportion of the total revenues of all universities, government grants increased slightly to 35.3% (34.4% in 2021).
In previous years, various higher education reforms have been proposed by the Australian Government to manage the cost of tertiary education and to reduce universities' reliance on government grants. Prior to the onset of the COVID-19 pandemic, combined government grants as a proportion of the total revenue of universities in NSW had been steadily reducing, since at least 2015, to their lowest point in 2019 of 31.1%. However, while the dollar value of government grants fell in 2022, the percentage of government grants to total revenues has increased since 2020.
Government grants and investment income have decreased in 2022
The graph below presents the aggregated revenue streams for all universities in NSW from 2018 to 2022. The COVID-19 pandemic impacted the financial results from 2020 onward.
2021 investment income has been adjusted to exclude the impact of EAL transactions.
Source: Universities' consolidated financial statements (audited).
In 2022, combined fees and charges was the only revenue stream that experienced a slight growth of $42.6 million from the prior year. However, this movement was not equally shared as only four universities recorded increased fees and charges revenue in 2022. Combined other revenue remained fairly consistent, with a slight decrease of $50.2 million or 3.6% from 2021.
Government grants decreased by 5.9% in 2022 from the previous year. However, 2021 grants included additional funding for the Research Support Program, totalling $297 million for the NSW universities, which did not recur in 2022. Excluding this, government grants otherwise increased by $51.5 million.
Volatility in global financial markets contributed to the decrease in investment income in 2022, impacted by the war in Ukraine, and rising inflation in Australia and other economies. Universities also recorded investment losses in 2022 relating to their shareholding in IDP shares which dropped 20.8% since 31 December 2021.
Over the past five years, fees and charges revenue overall had the smallest growth rate of 2.3%. However, at its peak of $6.2 billion in 2019, the growth rate was 7.9% between 2018 and 2019. The decrease in 2020 reflects the impact of the COVID-19 pandemic with reduced overseas student enrolments. The largest growth rates over the last five years have been in government grants, with an increase of 10.3% ($364 million), and other revenue of 9.1% ($112 million).
The following graph shows major revenue streams by universities for 2022. In 2022, four universities (five in 2021) received over 40% of their total revenue from government grants.
Source: Universities' consolidated financial statements (audited).
In the current year, nine universities saw a decrease in government grants from the prior year. The change in revenue from government grants at individual universities varied from a decrease of 8.8% to an increase of 0.1%.
The graph below shows government grants received at individual universities in 2022 with the percentage change from 2021.
Source: Universities' consolidated financial statements (audited).
In 2022, course fees revenue decreased by 0.5% from overseas students and decreased by 0.7% for domestic students
Universities' overseas and domestic student course fees and charges revenue for 2018 to 2022 is presented in the following graph.
Source: Universities' consolidated financial statements (audited).
Prior to the COVID-19 pandemic which introduced global travel restrictions, course fees and charges revenue from overseas students had been increasing steadily since at least 2012 to their peak of $3.6 billion in 2019. Since 2019, overseas student revenue has decreased by $334 million or 10.1%. This decrease has been driven by a 15.4% decrease in the number of overseas students studying at universities in NSW, from 93,557 full-time equivalent students in 2019 to 79,123 students in 2022.
Over the same period from 2019 to 2022, course fees and charges revenue from domestic students has grown by $50.6 million or 2.3%. The movement in full-time equivalent students from 206,141 in 2019 to 200,073 in 2022 is a decrease of 2.9%. The decrease in students has been offset by fee rate increases.
In comparing average revenue per student, universities earn nearly twice as much from overseas students compared to domestic students. In aggregate for the NSW universities in 2022, the average revenue per domestic full-time equivalent student (including amounts from Higher Education Loan Programs and CGS funding for Commonwealth Supported Places) was $22,195. The average revenue per overseas full-time equivalent student was $41,491.
The graph below shows individual universities' revenue in 2022 from overseas and domestic students. Income from overseas students exceeds income from domestic students at two universities (two in 2021). These were the University of New South Wales and the University of Sydney. Overseas student revenue recorded by these two universities makes up over 66% of total overseas student revenue for universities in NSW.
Source: Universities' consolidated financial statements (audited).
Six universities recorded decreases in overseas student revenue compared to 2021. The movement in overseas student revenue in 2022 by university is shown in the graph below.
The movement in overseas student revenue did not impact each university equally. Different universities attract overseas students from different countries of origin in varying proportions. Students from some countries were better able to return to Australia to continue their studies or were able to transition to online learning. The quality of the telecommunications infrastructure in students' home countries and time-zone differences contributed to the ease (or difficulty) of transition. The ability (or inability) of students from foreign countries to continue their studies impacted the revenues earned by universities where they were enrolled.
Almost 42% of universities' total revenue from course fees in 2022 came from overseas students from three countries
In 2022, overseas students contributed $3.1 billion in course fees to universities in NSW ($3.1 billion in 2021), increasing by $4 million from 2021. Students from the top three countries of origin contributed $2.4 billion in fees ($2.4 billion in 2021), which closely approximates the universities' total revenue from domestic students for 2022. These top three countries were China, India and Nepal (same in 2021). Revenue from students from these countries comprised 41.5% (42.5% in 2021) of total student revenues for all universities, and 75.6% of total overseas student revenues in 2022.
As we have reported previously, a high level of reliance on student revenue from these three countries of origin poses a concentration risk for NSW universities. Unexpected shifts in demand arising from changes in the geo-political or geo-economic landscape, or from restrictions over visas or travel can impact revenues, operating results and cash flows. The consequence of the reliance on revenues from overseas students when there is a lack of diversification in the countries of origin was realised as travel restrictions were implemented following the outbreak of COVID-19 in early 2020. While all universities' revenues from overseas students were negatively impacted in 2020, there was a greater impact initially and less resilience in student revenues from some countries of origin over the following two years.
The graph below shows the parent universities' revenue in 2022 from overseas and domestic student fees and charges.
Note 2: Revenue from domestic students includes amounts from Higher Education Loan Programs, such as HECS.
Source: Total revenue from domestic and overseas students was sourced from universities' parent financial statements (audited). Revenue from students by country of origin was provided by universities (unaudited).
Student enrolments from China represent over half of total overseas enrolments in 2022
The number of overseas student enrolments (by headcount) at NSW universities increased slightly from 138,907 in 2021 to 138,941 in 2022.
2019 was the last year data was not impacted by the pandemic. Overall enrolments of overseas students have continued to decline throughout the pandemic. Enrolments of overseas students has fallen by 12.4% overall from pre-pandemic levels. A notable exception is the enrolment of students from China, which increased by 271 students in 2022, following an increase of 2,259 in 2021. Students from China now represent over half of all overseas student enrolments.
All universities continue to market their educational products in international markets, focusing on countries in Asia. Whilst the countries of origin of overseas students have diversified in the years leading up to 2019, the trend has since reversed, primarily due to a reduction in students from countries other than China.
The graph below shows the composition of overseas student enrolments by country of origin over the past five years.
The highest proportion of overseas student revenue sourced from a single country of origin at individual universities ranged from 22% to 84% (2020: 19% to 86%). It is important to note that not all universities are dependent on revenue from students from China. However, the pandemic has increased the number of universities where China is the leading source of overseas student revenue. Chinese students were able to access technology to continue their studies and were less disadvantaged by time differences.
While enrolments of students from India and Nepal had been increasing in the years up to 2019, they decreased from 2020. For two universities, the University of Wollongong and Southern Cross University, the top country of origin changed from India to China in 2021. Seven out of the ten universities now record China as the leading source of overseas student revenues. This creates not only a concentration risk for each university, but for the NSW university sector as a whole.
The graph below illustrates the relative reliance of each university on a single country for their overseas student revenue. Most of these have decreased in 2022 from last year. Only three universities now have over 40% of their overseas student revenue reliant on one country, compared to six universities with over 40% reliance in 2019.
Source: Provided by universities (unaudited).
Other revenues
Overall philanthropic contributions to universities increased by 13.7% in 2022
Universities and many of their controlled entities are charities and are registered as deductible gift recipients for taxation purposes. They can attract significant donations and bequests from public, private and corporate philanthropists. Some bequests are tied to specific research activities, in which case in order to comply with the terms of the bequest, the university may not use the funds for other purposes.
Philanthropic contributions to universities increased by 13.7% from $179 million in 2021 to $203 million in 2022. However, philanthropic contributions decreased at two universities in 2022.
The University of Sydney and the University of New South Wales attracted 61.6% of the total philanthropic contributions to the universities in 2022 (69.6% in 2021). The newer, smaller and non-metropolitan universities have been least able to attract donations, although most of them still experienced a growth in donations in 2022.
The graph below presents the donations revenue received by each of the universities in 2022.
Total research income for universities was $1.6 billion in 2021
Universities' total research income increased by $147 million (9.8%) in 2021 compared to 2020. The increase over the five years between 2017 and 2021 was $501 million (44%) from $1.1 billion to $1.6 billion, mostly attributed to increased industry and other funding and Australian Competitive Grants of a combined $397 million.
Research income statistics for 2022 will be available from the Australian Department of Education, Skills and Employment after July 2023.
Two universities attracted 69% of the total research income of all universities (67% in 2020). The graph below shows research income by university in 2021.
Expenditure
A snapshot of combined expenditure at universities in NSW for the year ended 31 December 2022 is shown below.
Source: Universities' consolidated financial statements (audited).
Universities' combined expenditure increased by 6.6% in 2022
Combined expenditure for universities totalled $11.2 billion in 2022. This was an increase of $694 million (6.6%) from 2021. Most of this increase has been in employee related expenses and other expenses.
The outbreak of the COVID-19 pandemic put immediate financial pressure on the sector and universities responded by implementing cost saving measures. However, as COVID-19 restrictions relaxed, 2022 saw most universities transition back to face-to-face teaching and working. As a result, the combined 'other' expenses including travel and entertainment, staff development, consultants and repairs and maintenance increased by 13.6% in 2022 by $389 million to $3.2 billion. This was largely driven by costs associated with:
- travel, entertainment and staff development expenses increasing by $98.1 million (206%) as most travel restrictions were lifted in Australia and internationally
- consultant and professional services expenses increasing by $25.7 million (14.7%)
- repairs and maintenance expenses increasing by $25.2 million (11.6%).
Employee related expenses increased 4.9% in 2022
Combined employee related expenses for universities increased to $6.2 billion in 2022, up by $289 million (4.9%) from 2021. The movement was partially due to a growth in full-time equivalent (FTE) staff numbers by 1,210 or 3.1%, and wage increases in line with enterprise agreements.
Redundancy expenses decreased from $111 million in 2021 to $17.5 million in 2022. The number of positions made redundant during the year also fell from 1,297 positions to 734 in 2022.
Combined expenses relating to wage underpayments amounted to $73.1 million in 2022, up from $19.5 million in 2021.
The expenditure for each university in 2022 with the change since 2021 is shown below.
Only two universities reduced expenses during 2022 compared to the ten universities that reduced expenses during 2021. The biggest reduction was at the University of Wollongong where savings of $21.8 million were achieved. The biggest increase in expenses, of $298 million, was reported by the University of New South Wales.
The graph below shows the key components of expenditure for each university in 2022.
Employee related expenses represent the major portion of expenses at each university and ranged from 53% to 61% of total expenditure.
Controlled entities
The overall number of universities' controlled entities remained unchanged
While some universities have started to streamline and reduce the number of their controlled entities to contain administrative and compliance costs, others have established new entities to expand their operations overseas or commence new business activities. There were two new controlled entities created (one each for Macquarie University and University of Wollongong), one entity deregistered (Macquarie University) and one entity sold (University of Technology) in 2022, resulting in the same number of controlled entities this year overall.
Out of 74 controlled entities, there were 12 dormant entities at 31 December 2022 (14 in 2021), including corporate trustees that do not trade and entities that have ceased to operate due to business rationalisation.
While many of the universities' controlled entities were impacted by the COVID-19 pandemic, none were closed as a result. All controlled entities were able to demonstrate they were going concerns (that is able to meet financial obligations as and when they fall due for the next 12 months). However, 17 controlled entities reported a loss in 2022 (18 in 2021).
Twenty-two of the universities' controlled entities required letters of financial support from their parent in 2021 (29 in 2021).
Depending on the nature of their business, the controlled entities based in Australia were impacted by COVID-19 in the following ways:
- reduced activity in student services such as food outlets, gymnasiums and sporting facilities due to less students on campus
- reduced enrolments in academic pathway courses with general reduction in overseas students
- increased costs to business for research activities, in terms of protective equipment and reduced capacity due to physical distancing.
Controlled entities based overseas did not report significant disruption of their activities from COVID-19.
The table below details the number of universities' controlled entities.
University at 31 December 2022 | Total number of controlled entities | Number of dormant entities | Number of overseas controlled entities |
Charles Sturt University | 2 | -- | -- |
Macquarie University | 14 | 8 | 1 |
Southern Cross University | 1 | -- | -- |
University of New England | 5 | 1 | -- |
University of NSW | 16 | 1 | 7 |
University of Newcastle | 4 | -- | 1 |
University of Sydney | 3 | -- | 1 |
University of Technology Sydney | 10 | -- | 5 |
University of Wollongong | 13 | 1 | 8 |
Western Sydney University | 6 | 1 | -- |
Total | 74 | 12 | 23 |
3. Internal controls
Appropriate financial controls help to ensure the efficient and effective use of resources and administration of policies. They are essential for quality and timely decision-making.
This chapter outlines our observations and insights from our financial statement audits of NSW universities.
Our audits do not review all aspects of internal controls and governance every year. The more significant issues and risks are included in this chapter. These, along with the less significant matters, are reported to universities for management to address.
Section highlights
|
3.1 Findings reported to management
The number of findings reported to management has decreased, but 47% were repeat issues
Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of agencies. The Audit Office does this through management letters, which include our observations, the related implications, our recommendations and risk ratings.
In 2022, there were 88 findings raised by universities (105 in 2021). Forty-seven per cent of all issues were repeat issues (43% in 2021).
The most common repeat issues related to user access and privileged user review and outdated policies and procedures.
A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports, and in generating financial statements. This can impair decision-making, impact service delivery and expose universities to fraud, financial loss and reputational damage. Poor controls may also mean staff may be less likely to follow internal policies.
2022 audits identified six high risk findings
In 2022, the Audit Office reported six high risk findings with one carried forward since 2019. The details of these findings are summarised below.
University | Description |
2022 findings | |
University of New England | We reported four high risk findings related to information technology. These were:
Three of the four observations have been repeated for over three years and remain unaddressed. Consequently, the risk associated with this exposure is increased until the deficiencies are addressed. |
University of New South Wales |
In 2019, the university identified that correct payment rates had not been consistently applied to casual academic staff in some cases. The absence of effective financial controls, which may have prevented the need to provide for a potential underpayment of casual staff salaries, resulted in extended audit procedures being performed to conclude that the control deficiencies did not present a risk of material misstatements. In response, the university continues to assess its liability for underpayment of casual staff entitlements and continues to implement processes to address identified deficiencies. |
Western Sydney University |
The university incorrectly accounted for two aspects of a significant transaction relating to one of its campuses. These transactions included $13.3 million incorrectly accounted for as land assets where the rights to the assets had previously been divested. It appears the substance of the transaction was not appropriately understood, resulting in the relevant accounting standards and associated management judgements and assumptions not being fully assessed. Further, the related contracts were not included in the university's contracts register, which was incomplete. |
Findings are categorised as relating to information technology, financial controls, financial reporting and governance and oversight. The table below describes the common issues identified at universities by category and risk rating.
Risk rating | Issue |
Information technology | |
High: 0 new, 4 repeat Moderate: 7 new, 3 repeat Low: 8 new, 3 repeat |
The financial audits identified opportunities for universities to improve information technology processes and controls that support the integrity of financial data used to prepare universities’ financial statements. Of particular concern are issues associated with:
|
Internal control deficiencies or improvements | |
High: 0 new, 1 repeat Moderate: 4 new, 5 repeat Low: 7 new, 5 repeat |
The financial audits identified internal control deficiencies across key business processes, including:
|
Financial reporting | |
High: 1 new, 0 repeat Moderate: 5 new, 3 repeat Low: 6 new, 2 repeat |
The financial audits identified opportunities for universities to strengthen financial reporting, including:
|
Governance and oversight | |
High: 0 new, 0 repeat Moderate: 4 new, 5 repeat Low: 5 new, 10 repeat |
The financial audits identified opportunities for universities to improve governance and oversight processes, including:
|
The number of moderate risk findings decreased from prior year
Thirty-six moderate risk findings were reported in 2022, representing a 36% decrease from 2021. Of these, 16 were repeat findings, and 20 were new issues.
Moderate risk findings mainly related to:
- weaknesses in user access management, such as untimely access removal for terminated staff, access provided without formal approval, and a lack of periodic user access review
- several policies and procedures that had not been reviewed by the due dates
- gaps in Information Technology General Controls, including monitoring of privileged user accounts and changes made by privileged users.
The table below shows the levels of risk on the findings by university for 2022, and how many of the findings were repeat issues.
Internal control findings 2022 | ||||
University | High | Moderate | Low | Repeat |
Charles Sturt University | -- | 4 | 6 | 5 |
Macquarie University | -- | 2 | 5 | 3 |
Southern Cross University | -- | 6 | 2 | 3 |
University of New England | 4 | 7 | 8 | 10 |
University of New South Wales | 1 | 2 | 4 | 4 |
University of Newcastle | -- | 2 | 6 | 3 |
University of Sydney | -- | 5 | 4 | 4 |
University of Technology Sydney | -- | -- | 1 | -- |
University of Wollongong | -- | 7 | 5 | 5 |
Western Sydney University | 1 | 1 | 5 | 4 |
Total | 6 | 36 | 46 | 41 |
Forty-one findings were raised in previous years
There were 41 repeat findings (45 in 2021) identified in 2022. Repeat findings arise when the university has not implemented recommendations from previous audits. Ten repeat findings related to IT control deficiencies. Universities have agreed to prepare implementation plans to address these repeat issues.
IT issues can take some time to rectify because specialist skill and/or partnering with software suppliers may be required to implement appropriate controls. Changes to complex systems or IT architecture may involve extensive testing and assessment before they are put into production. However, until rectified, the vulnerabilities those control deficiencies present can be significant.
RecommendationUniversities should prioritise actions to address repeat findings on internal control deficiencies in a timely manner, particularly those that have been repeat findings for a number of years. |
The graph below shows the spread of repeat findings by area of focus and risk rating.
3.2 Cyber security
This section outlines observations from our review of the cyber security planning and governance arrangements at all NSW universities. We also reviewed the controlled entities of universities if they:
- were reasonably large
- maintained IT control environments and systems that are separate from the parent
- and had their own governance committees.
These entities were:
- UNSW Global Pty Limited (controlled by the University of New South Wales)
- MQ Health Pty Limited (controlled by Macquarie University)
- Insearch Limited (controlled by the University of Technology Sydney).
Cyber threats are increasingly common and sophisticated. Recent high profile attacks on universities in Australia have included the targeting of university staff through phishing to open avenues for the introduction of malicious software (malware) into key systems. Universities have also been subject to data breaches, with personally identifiable information on staff, students and external parties being obtained by unauthorised users.1 The continuing trend towards digital delivery of services has increased the vulnerability of organisations to cyber threats.
The COVID-19 pandemic has exacerbated these risks. It has increased universities' reliance on the internet to work and deliver classes remotely, to provide access to services and information, and to communicate across Australia and in many instances globally. Traditional security policies within an organisation’s perimeter are harder to enforce in networks made up of home and private networks, and assets the organisation does not manage. This has increased the cyber risks for universities and their subsidiaries.
Cyber security management comprises technologies, processes and controls that are designed to protect IT systems and sensitive data from cyber attacks. Cyber incidents can harm service delivery and may involve:
- theft of information such as intellectual property or sensitive personal data
- denial of access to critical technology
- hijacking of systems for profit or malicious intent
- financial losses.
In this section, we have considered how best to balance the need to support public accountability and transparency with the need to avoid revealing information that could pose additional risk to an entity and its systems. This has involved an assessment of the appropriate level of detail to include in the report about the cyber security vulnerabilities identified in our audits. Deficiencies are not attributed to individual entities in this report. However, each entity has been informed of observations specific to them.
Cyber security planning and governance
Cyber security policy/frameworks can be improved
As at 31 December 2022, we observed all entities had developed a cyber security policy or framework document that was readily accessible, generally available on their intranet and assigned roles and responsibilities for cyber security, including points of escalation and a governance committee. We also noted the following areas that can be improved:
- 5 entities did not review their policy in the 12 months to 31 December 2022. Whilst not mandated, an annual review of the information security policy’s design and implementation can ensure security measures remain current
- 2 entities did not define cyber incidents or attacks. Defining incidents or attacks is critical to ensure incidents are appropriately identified, responded to and reported to those charged with governance
- 1 entity’s cyber security plan or road map did not include target levels of cyber maturity. The absence of defined targets can reduce the likelihood risks will be adequately mitigated or increase the timeframes within which the risks are mitigated
- 1 entity did not define points of escalation. The inclusion of escalation points within a policy are important to ensure effective incident management.
NSW universities and their controlled entities are not required to use a specific framework or model for managing cyber security. All but two of the entities have adopted one of the two major external framework models or a hybrid of the two, being:
- Australian Cyber Security Centre (ACSC) Essential Eight mitigation strategies
- National Institute of Standards and Technology (NIST) cyber security framework.
Five entities aligned their policy with the NIST cyber security framework. Four entities have aligned with the ACSC Essential Eight mitigation strategies. Three entities have adopted a combination of frameworks. One entity has not aligned to an external framework.
The chart below shows how entities have designed their cyber security frameworks.
Cyber security controls
Entities continue to assess their cyber security controls with all but one performing an assessment in the last 12 months for operating effectiveness. In these assessments, IT controls were reviewed by a party independent of the IT function. However, there are opportunities for further improvement with respect to:
- 23% of entities not performing reviews of their logs of privileged user activities
- 62% of entities not quarantining activities of privileged users to environments that do not have internet facing capabilities, for various reasons including genuine business needs
- 69% of entities not having automated notification systems to alert the IT function when a new user is added
- 77% of entities not having automated notification systems to alert the IT function when user permissions are changed
- 8% of entities not performing a resilience review during 2022.
Cyber security threats
Entities have identified their material digital and electronic assets subject to cyber security risk. The nature of these assets varies across entities and includes:
- intellectual property (77%)
- copyrighted material (54%)
- confidential research (92%)
- trade secrets (31%).
Cyber threats are recognised in all entities’ enterprise or IT risk registers. All entities have performed a risk assessment on their IT assets and identified their ‘crown jewels’ or ‘Mission Critical’ assets.
However, we noted:
- one entity did not have an IT asset register for the purposes of IT configuration and security
- one entity’s IT asset register did not include IT dependencies between the IT asset and the business function it supports
- one entity has a ‘Mission Critical’ IT asset which was not covered by vendor support at 31 December 2022. This entity noted it is due for an upgrade that will bring it into support by the end of 2023. Assets that are unsupported by vendors may be unpatched for identified security weaknesses and at greater risk of being compromised in a cyber attack
- one entity has not formally accepted the residual risk where cyber security controls were not fully implemented or have not met target levels
- one entity recorded risks that did not contain mitigating controls.
All entities report cyber risks to management, reporting on average quarterly and have assigned owners for identified cyber risks to ensure accountability.
Managing personally identifiable information (PII)
Entities hold PII for a variety of purposes in delivery of services. PII can include:
- student and staff names
- student numbers or staff ID
- date of birth and ID records
- billing addresses and banking details
- details of participants in research activities.
Due to the sensitive nature of the PII held by entities, the information is attractive to cybercriminals that may seek to access the information for:
- financial gain
- recognition and achievement
- political motivation
- their nation’s own interests (state actors)
- corporate espionage.
Entities have assessed and classified the data held that is considered personally identifiable (PII), and established internal guidelines and plans to manage the data.
Retention policies of personal information vary greatly across entities
PII is retained for different lengths of time across the entities, with ranges as follows:
- personal information of employees – held between seven years and indefinitely
- personal information of students – held between seven years and indefinitely
- personal information of others (research, commercial activities) – held between seven and 15 years.
Entities that retain sensitive PII long-term can in time hold greater volumes of information, increasing their risk exposure.
Entities tend to store PII data using a combination of offshore, onsite, offsite and cloud/internet facing environments. Over 65% of entities utilise cloud storage for personal information which relies on third party IT service providers. Third party IT service provider arrangements are further discussed later in this chapter.
Three entities have not conducted a review of user access to PII in 2022. Of the ten entities that have, three have conducted only annual reviews of user access.
RecommendationEntities should review their PII retention policies to ensure PII stored is limited to the entity’s needs, held only for the minimum duration it is legally and operationally required, and access is strictly limited |
Cyber incident management
The number of cyber incidents or attacks identified by entities in 2022 ranged from nil to 1,777, compared to 2021 which ranged from nil to 4,400. The disparity in the number of recorded incidents is due to:
- different definitions of what a ‘cyber incident’ is
- some registers do not cover all systems (two entities)
- some registers include intercepted or blocked attempts, while others do not. One entity did not record blocked attempts anywhere.
Monitoring of attempted attacks enables entities to locate weaknesses in their processes and identify areas subject to regular or increased attack.
It is important to note the above is based on entities’ self-reporting of incidents and the incidents they have identified. There is a continued risk that incidents may have occurred and gone undetected or unreported to those charged with governance.
Two entities reported financial losses from cyber incidents
The highest financial loss reported by universities in NSW was from a single attack on an entity that involved malicious software executed on a faculty computer laboratory. Whilst most entities have not reported direct financial losses from cyber incidents, many required significant effort and costs to respond to known, but unsuccessful incidents.
Third party IT providers
Many entities engage IT service providers as they deliver specialised services and may offer cost savings or efficiencies. Consequently, third party IT providers are part of the general IT ecosystem and embody certain risks that need to be managed. Being unaware of weaknesses in an IT service provider's cyber security controls means entities may respond slowly, or not at all to close vulnerabilities, which can be exploited by threat actors to gain access to systems, data and assets.
We observed all entities’ cyber security policies capture and apply to their third party IT vendors. However, two entities did not require IT vendors to comply with its cyber security policy, as this was not a standard term within its contracts with IT service providers.
Thirty per cent of entities do not require attestations or certifications from IT service providers confirming compliance, and 23% do not require controls assurance reports from IT service providers, relating to their providers’ controls around cyber security.
Thirty-one per cent of entities did not require their IT vendors to notify them of cyber incidents
Thirty-one per cent of entities did not require their IT vendors to notify them of cyber incidents and are revisiting their current practices. Of those that do, five entities reported receiving notifications from vendors of cyber incidents that occurred during the year. Cyber supply chain risks can expose entities to additional risks, particularly where the supplier is a vendor of IT services. Arrangements with vendors should include standard security terms and conditions including requirements for timely notification of incidents to ensure entities can respond to incidents efficiently and effectively.
From 8 July 2022, amendments to the Security of Critical Infrastructure Act 2018 (SOCI Act) require that organisations with 'critical infrastructure assets' report cyber incidents to the ACSC within 12 hours of detection for critical incidents that have a significant impact on the availability of the asset, or 72 hours for other incidents that have a relevant impact on the asset. Given that all universities operate in critical infrastructure sectors as defined in the SOCI Act, namely higher education and research, it is increasingly important that entities ensure their IT service providers notify them of incidents promptly.
Disaster recovery plans
Two entities did not test their disaster recovery plans during 2022
Disaster recovery plans provide guidance and instructions to entity staff on how to respond to various incidents including cyber attacks. Whilst no entity was required to activate their disaster recovery plan during the year following an incident, we noted two entities did not test their existing plans during 2022. Of the entities that did perform tests, these were conducted to varying extents, with tests targeting specific systems according to entity’s risk appetite. Periodic disaster recovery testing of entity systems can support entities to identify weaknesses in their plan and improve their cyber resilience.
Cyber risk awareness training
All but one entity provided mandatory training or refresher training and awareness programs on cyber security to their staff during 2022. Of the training provided, we observed further improvements can be achieved as:
- 54% of cyber training offered to staff was not tailored for staff positions. Certain organisational positions carry a higher cyber risk and are more likely to be targeted by cyber criminals
- 46% of entities did not test staff knowledge through awareness exercises. Awareness exercises can be effective to gauge the adequacy of current training.
Entities that performed simulated phishing attacks as part of their awareness exercises reported click-through rates ranging from three per cent to 71%. Results can vary significantly according to the complexity of the simulated phishing attack. Simulated phishing attacks, when well designed, can help entities raise awareness of phishing risks and provide valuable learnings in a safe environment.
4. Teaching and research
Universities' primary objectives are teaching and research. They invest most of their resources aiming to achieve quality outcomes in academia and student experience. Universities have committed to achieving certain government targets and compete to advance their reputation and their standing in international and Australian rankings.
This chapter outlines teaching and research outcomes for universities in NSW for 2022.
Section highlights
|
4.1 Teaching outcomes
Graduate employment rates
Graduate employment outcomes vary across universities
Universities assess the employment outcomes of their graduates by using published data from surveys conducted by the Australian Department of Education, Skills and Employment's agents. The survey timeframe for employment outcomes is approximately four to six months after completion of studies.
According to the 2022 survey, seven out of ten NSW universities (seven in 2021) exceeded the national average of 79% for full-time employment rates of their domestic undergraduates. This index increased from 69.2% in 2021.
Five universities (six in 2021) performed better than the national average of 89.1% for full-time employment outcomes of their domestic postgraduates. The postgraduate national average increased from 84.7% in 2021.
The graph below presents the results of the 2022 survey by university.
For overseas student graduates, employment rates are consistently lower than those for domestic graduates. However, the 2022 survey showed average employment rates have improved from 2021 due to a strong recovery of the Australian labour market. The report noted there was a broad decline in graduate employment rates between 2019 and 2020 for both domestic and overseas graduates associated with general weakness in the labour market, which was worsened in 2020 from the impact of the COVID-19 pandemic.
The average full-time employment rate for overseas undergraduates was reported at 57.7% (2021: 43%) and 57.9% for international postgraduate coursework (2021: 43.9%).
The graph below presents the 2020–22 longitudinal results from the survey by university.
Student enrolments by field of education
Enrolments at universities decreased the most in Science related courses in 2022
Enrolments at NSW universities declined overall by over 12,000 full-time equivalent students. The largest decreases in student enrolments at universities in NSW in 2022 were in:
- Science related courses, with 7,094 fewer enrolments compared to 2021 (16.7% decrease).
- Society and Culture courses, with 6,831 fewer enrolments compared to 2021 (9.9% decrease).
The largest increase in student enrolments at universities in 2022 was in Health courses. An additional 4,801 students were enrolled compared to 2021 (11.7% increase).
The graph below shows the movement in student enrolments by field of education between 2021 and 2022.
Modes of learning
Over half of the universities decreased their delivery of courses via online methods in 2022
Sixty per cent of universities decreased the percentage of courses they delivered through online or digital means during 2022 compared to 2021.
Following the loosening of COVID-19 restrictions in NSW at the end of 2021, all five metropolitan universities have shifted significantly back to face-to-face learning. In 2021, four metropolitan universities delivered over 75% of their courses primarily via online methods. In 2022, all metropolitan universities now have less than 30% of their courses delivered digitally. The inverse has occurred at regional universities, which have increased the percentage of their courses delivered digitally.
On average, universities delivered:
- 23% of their courses primarily online (59% in 2021)
- 51% of their courses primarily face-to-face (25% in 2021)
- 43% of their courses both online and face-to-face (33% in 2021).
The average percentage of domestic students who received their education primarily via digital learning means was 37% (68% in 2021). For overseas students, it was 24% (53% in 2021).
Universities utilise a combination of both internally and externally managed learning platforms, with internally managed platforms supported by third party software.
All universities have performed evaluations on the quality and effectiveness of their online service delivery over the last 12 months, some of which include student experience surveys and reviews of online content against externally published quality standards. Much of this is done as part of general course evaluation procedures.
All universities have evaluated their digital learning platforms as part of their cyber security assessments.
Students from low SES backgrounds
In 2009, the Australian Government set a target for 20% of university undergraduate enrolments to be students from low socio-economic status (SES) backgrounds by 2020.
The 2020 results for universities in NSW showed five universities achieved enrolments of more than 20% of domestic undergraduate students from low SES backgrounds.
In 2021, the same five universities achieved the 20% target. There has been slight improvement in each of the other universities of their percentage of domestic undergraduate students being from low SES backgrounds.
Enrolment statistics for 2022 are not expected to be available from the Australian Department of Education, Skills and Employment until late 2023.
Universities can continue to improve outcomes for these students by consistently setting targets, tracking achievement against those targets, implementing policies to increase enrolments and supporting students to graduation.
Five universities reported that they enrolled more students from low SES backgrounds than the target
Universities in NSW reported barely an increase in the total number of low SES domestic undergraduate student enrolments, from 40,517 in 2020 to 40,521 in 2021. Overall, domestic undergraduate student enrolments (headcount) in NSW increased by two per cent in the same period from 225,918 in 2020 to 230,379 in 2021.
Reported enrolments of domestic undergraduate students from low SES backgrounds in 2021 for universities as a percentage of total domestic undergraduate students are shown in the graph below.
Enrolment of Aboriginal and Torres Strait Islander students
In March 2017, all Australian universities committed to achieving growth rates for enrolments of Aboriginal and Torres Strait Islander students to exceed the growth rate of enrolments of other domestic students by at least 50%.
In this report, Aboriginal students are students who identify as being of the First Nations peoples of the land and waters now called Australia, and includes Aboriginal and Torres Strait Islander peoples.
The 2021 results for universities in NSW showed seven universities achieved increased enrolments of students from Aboriginal backgrounds (eight in 2020).
Seven universities reported increased enrolments of Aboriginal students in 2021
Universities in NSW reported an increase in the overall number of Aboriginal student enrolments in 2021 by 213 students, taking the total number of Aboriginal student enrolments in 2021 to 7,587. This represents a growth of 2.9% since 2020. Overall, non-Aboriginal student enrolments in NSW increased by only 1.6% in the same period, from 303,951 in 2020 to 308,748 in 2021.
Consequently, the target growth rate for enrolments of Aboriginal students to exceed the growth rate of enrolments of non-Aboriginal students by at least 50% was achieved in 2021.
The Aboriginal student enrolments for 2021 by university is shown below, together with the change in Aboriginal student enrolments since 2020.
The following graph shows Aboriginal students in 2021 as a percentage of total domestic students at each university.
Appendices
Appendix one – List of 2022 recommendations
Appendix two – Status of 2021 recommendations
Appendix three – Universities' controlled entities
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.