1  Eleven entities were exempt from reporting requirements in 2023. Further details are in section 2.1 of this report.
2  Eleven entities did not prepare and submit annual financial statements for audit in accordance with the requirements of the Government Sector Finance Act 2018 in 2023. Two new controlled entities did not need to submit annual financial statements for the year ended 31 December 2023 as their annual reporting period was the period of 12 months commencing on 1 July 2023. Further details are in section 2.1 and section 2.3 of this report.
3  Equivalent Full-Time Student Load (EFTSL) represents the equivalent full-time study load for one year.
4  Full-Time Equivalent (FTE).
Source: Student and staff numbers are provided by universities (unaudited).

Note: Audit completion dates for University of Newcastle were the same in both years.
Source: Independent Auditor’s Reports issued by the Audit Office.

Source: Universities’ consolidated financial statements (audited).

Key drivers behind the universities’ 2023 results were:

• increases in combined expenses by $1.4 billion to $12.6 billion in 2023. Nearly 50% of this related to higher employee related expenses, increasing by $709.2 million in 2023 to $6.9 billion
• increases in combined investment income of $678 million, with all but one university (Macquarie University) experiencing positive investment gains in 2023. Returns on The University of Sydney’s investments contributed more than 52% of the total combined universities’ investment income
• increases in fees and charges of $519 million for nine universities, with University of New South Wales recording the highest increase of $168 million in 2023
• increased government grants of $151 million for eight universities.

The graph below presents the revenue and expenses for each university in 2023.

Source: Universities’ consolidated financial statements (audited).

Movements in revenue and expenses for each university, and for the sector as a whole, are analysed later in this report.

Revenue from operations

A snapshot of universities’ revenue for the year ended 31 December 2023 is shown below.

Note: Government grants do not include Higher Education Loan Programs, such as the Higher Education Contribution Scheme (HECS), which are included in fees and charges.
Numbers above have been rounded to the nearest $0.1 billion.
Source: Universities’ consolidated financial statements (audited).

Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Percentages above have been rounded to the nearest whole number.
Source: Universities’ consolidated financial statements (audited).

Combined revenue for universities totalled $12.5 billion in 2023, an increase of $1.5 billion (13.4%) from 2022. This was mainly driven by an increase of $678 million in investment income and $519 million in fees and charges due to the increase in overseas student enrolments (9,469 more full-time equivalent overseas students compared to 2022). Similar to last year, fees and charges continue to represent over half of universities’ total revenue in 2023.

Government grants represented 32.5% of the universities’ combined revenue in 2023

Aggregated Commonwealth, State and local government grants revenue to NSW universities increased to $4.1 billion in 2023 ($3.9 billion in 2022). As a proportion of the total revenues of all universities, government grants decreased to 32.5% (35.3% in 2022).

In previous years, various higher education reforms were proposed by the Australian Government to manage the cost of tertiary education and to reduce universities’ reliance on government grants. Prior to the COVID-19 pandemic, combined government grants as a proportion of the total revenue of universities in NSW was steadily declining, from 37% in 2015 to the lowest point in 2019 of 31.1%. From 2020, additional grant funding was provided to assist universities respond to the pandemic, which resulted in a steady increase in the proportion of grant funding compared to total revenue. While the dollar value of government grants increased in 2023, the percentage of government grants to total revenue decreased from 35.3% in 2022 to 32.5% in 2023. This was mainly due to a $678 million increase in universities’ investment income compared to the previous year, which had the effect of increasing the combined universities’ revenue and reducing the overall proportion of grant funding.

All revenue streams recorded a growth in 2023

The graph below presents the aggregated revenue streams for all universities in NSW from 2019 to 2023.

Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Source: Universities’ consolidated financial statements (audited).

Revenue from investment income recorded the strongest growth for all but one university in 2023, increasing by $678 million from the previous year.

Over the past five years, fees and charges revenue had the smallest growth rate of 2.4 %. The decrease in 2020 reflects the impact of reduced overseas student enrolments during the COVID-19 pandemic at most universities. In 2023 total fees and charges returned to pre-pandemic levels.

Trends in fees and charges revenue for NSW universities for 2019 to 2023 is presented in the following graph.

Source: Universities’ consolidated financial statements (audited).

All universities except for Charles Sturt University recorded increased fees and charges revenue in 2023. University of Wollongong recorded the highest increase of 20% when compared to other universities, largely due to an increase in overseas student revenue ($59.5 million). The University of Sydney’s fees and charges revenue was not significantly impacted by the pandemic and it was the only university which recorded an increase in fees and charges revenue in 2021 (18.1% increase from 2020) and has steadily increased its fees and charges to a high of $1.9 billion in 2023. University of New South Wales experienced a large reduction in fees and charges revenue in 2020 (12.9% decrease from 2019) however since then, this revenue has steadily recovered with fees and charges revenue in 2023 returning to 3.3% higher than its pre-pandemic level. The eight other NSW universities’ fees and charges revenue has not yet returned to pre-pandemic levels.

The following graph shows major revenue streams by universities for 2023. In 2023, three universities (four in 2022) received over 40% of their total revenue from government grants.

Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Source: Universities’ consolidated financial statements (audited).

In the current year, eight universities saw an increase in government grants from the prior year. The change in revenue from government grants at individual universities varied from a decrease of 2.9% to an increase of 10.9%.

The graph below shows Commonwealth, State and local government grants received by the universities in 2023 with the percentage change from 2022.

Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Source: Universities’ consolidated financial statements (audited).

In 2023, total course fee revenues increased by 12.7% from overseas students and 2.4% for domestic students

In 2023, combined total course fee revenues from overseas and domestic students returned to pre-pandemic levels. Universities’ overseas and domestic student course fees and charges revenue for 2019 to 2023 are presented in the following graph.

Note: Revenue from domestic students includes amounts from Higher Education Loan Programs, such as HECS, but does not include government grants for domestic students comprising the Commonwealth Grant Scheme (CGS) funding for Commonwealth Supported Places.
Source: Universities’ consolidated financial statements (audited).

Course fees and charges revenues from overseas students had been increasing steadily since 2012 to a peak of $3.6 billion in 2019. The impact of the COVID-19 pandemic’s global travel restrictions meant that between 2019 and 2022, total overseas student revenue decreased by $385 million or 10.6%. In 2023 all universities (except for Charles Sturt University) experienced an increase in overseas student revenue ranging from 3.9% to 47.1%, compared to 2022. The increase of $410.8 million in overseas student revenue in 2023 was driven by a 12% increase in the number of full-time equivalent overseas students studying at universities in NSW following the re-opening of the international border in early 2022 (from 79,123 full-time equivalent students in 2022 to 88,592 students in 2023). Nine universities increased their overseas student enrolments in 2023 compared to four universities in 2022. The increase was driven by a number of factors including government initiatives on student working rights and post-study visa rules, improved rankings for some universities in 2022, and student recruitment strategies implemented by universities post-pandemic.

In June 2023, the Department of Home Affairs published a student visa and temporary graduate visa program report which noted an increase in the number of visa rejections from 1 July 2022 to 30 June 2023. The report notes the increased visa rejection rate is due to a higher number of student visa applicants that reportedly used fraudulent documentation or information in their applications since the re-opening of the international border.

The rates of student visa applications granted between 2018–19 and 2022–23 are shown in the graph below.

Source: Department of Home Affairs, Student visa and Temporary Graduate visa program reports.

Approvals of student visas dropped from 92% in 2021–22 to 86% in 2022–23. In the last three months to December 2023, the overall rate of student visa approvals was 81.9%. NSW universities’ overseas student enrolments and revenue in 2024 are sensitive to changes in the rate of approvals of student visas.

The number of full-time equivalent domestic students decreased by 2.6% since 2022, with only three universities experiencing an increase in domestic students in the current year. From 2019 to 2023, course fees and charges revenue from domestic students grew by $103.1 million or 4.8%. However, the movement in full-time equivalent students over the five years decreased to 194,932 (5.4%) from 206,141 in 2019. The financial impact of decreases in student numbers has been offset by increases in the average student fees for domestic students.

The graph below shows the movement in domestic student enrolments and average revenue per domestic full-time equivalent student between 2019 and 2023.

Note: Average revenue per domestic full-time equivalent student includes amounts from Higher Education Loan Programs, such as HECS, but does not include government grants for domestic students comprising the CGS funding for Commonwealth Supported Places.

The graph below shows the movement in full-time equivalent student enrolments (EFTSL) between 2023 and 2022.

Note: EFTSL is Equivalent Full-Time Student Load.
Source: Provided by universities (unaudited).

In comparing average revenue per full-time equivalent student, universities earn nearly twice as much from overseas students compared to domestic students. In aggregate for NSW universities in 2023, average revenue per domestic full-time equivalent student (including amounts from Higher Education Loan Programs and CGS funding for Commonwealth Supported Places) was $22,996. The average revenue per overseas full-time equivalent student was $41,117.

The graph below shows individual universities' revenue in 2023 from overseas and domestic students. Income from overseas students exceeds income from domestic students at The University of Sydney and University of New South Wales (same in 2022). Overseas student revenue recorded by these two universities makes up over 64% of total overseas student revenue for all NSW universities.

Note: Revenue from domestic students includes amounts from Higher Education Loan Programs, such as HECS. Government grants for domestic students represents the CGS funding for Commonwealth Supported Places.
Source: Universities’ consolidated financial statements (audited).

All universities except Charles Sturt University recorded increases in overseas student revenue compared to 2022. The movement in overseas student revenue in 2023 for each university is shown in the graph below.

Source: Universities’ consolidated financial statements (audited).

Movements in overseas student revenue did not impact each university equally. Different universities attract overseas students from different countries of origin in varying proportions. Four universities’ QS World rankings (The University of Sydney, University of New South Wales, Macquarie University and University of Wollongong) improved in 2022, which may have helped these universities attract more overseas students in 2023. University of New England recorded the highest percentage increase in overseas student revenue in 2023 from 2022 (47.1%), which the university attributed in part to the implementation of its offshore recruitment strategy.

40.5% of universities’ total revenue from fees and charges in 2023 derived from overseas students from three countries

In 2023, overseas students contributed $3.4 billion in course fees to universities in NSW ($3.1 billion in 2022), increasing by $325.5 million from 2022. Students from the top three countries of origin contributed $2.5 billion in fees ($2.4 billion in 2022), which closely approximates the universities’ total revenue from domestic students for 2023. These top three countries were China, India and Nepal (same in 2022). Revenue from students from these countries comprised 40.5% (42.1% in 2022) of total student revenues for all universities, and 71.7% of total overseas student revenue in 2023.

As reported in previous Auditor-General’s report to parliament on NSW Universities, a high level of reliance on student revenue from these three countries of origin poses a concentration risk for NSW universities. Unexpected shifts in demand arising from changes in the geo-political or geo-economic landscape, or changes to visa approval rates or travel restrictions, can impact revenues, operating results and cash flows. The consequence of the risk of reliance on revenues from overseas students, when there is a lack of diversification in the countries of origin was realised as travel restrictions were implemented following the outbreak of COVID-19 in early 2020. While almost all universities’ revenues from overseas students were negatively impacted in 2020, there was a greater impact initially and less resilience in student revenues from some countries of origin over the following two years.

The graph below shows the parent universities’ revenue in 2023 from overseas and domestic student fees and charges.

Note 1: The figures used for revenue relate to students enrolled in bachelor or higher degrees at the parent university.
Note 2: Revenue from domestic students includes amounts from Higher Education Loan Programs, such as HECS.
Source: Total revenue from domestic and overseas students was sourced from universities’ parent financial statements (audited). Revenue from students by country of origin was provided by universities (unaudited).

Student enrolments from China continue to represent the largest share of overseas enrolments

The number of overseas student enrolments (by headcount) at NSW universities increased from 138,941 in 2022 to 166,178 in 2023.
All universities continue to market their educational products in international markets, focusing on countries in Asia.

The graph below shows the composition of overseas student enrolments by country of origin over the past five years.

Source: Australian Trade and Investment Commission, international student data.

Seven of the ten universities record China as the leading source of overseas student revenues. This creates a concentration risk for each university, and for the NSW university sector as a whole. In 2023, the university sector appears to have diversified their sources of overseas student enrolments. This is demonstrated in the graph above where student enrolments from China reduced from over half of total overseas enrolments in 2022 to 42.3% in 2023.

The graph below illustrates the relative reliance of each university on a single country for their overseas student revenue. Among the eight universities that recorded China as the leading source of overseas student revenues in 2022, five experienced a decrease ranging from three per cent to 26% in overseas student revenue from China in 2023. University of Wollongong changed its top country of origin from China to India, which brought the number of universities that recorded China as the leading source of overseas student revenues in 2023 to seven.

Only two universities now have over 40% of their overseas student revenue reliant on one country, compared to six universities in 2019. The highest proportion of overseas student revenue sourced from a single country of origin at individual universities ranged from 24% to 79% (2022: 20% to 84%).

Note: The figures used for revenue relate to students enrolled in bachelor or higher degrees at the parent university. The percentage has been calculated based on the university parent total overseas student revenue.
Source: Provided by universities (unaudited).

Other revenues

Philanthropic contributions to universities decreased with the exception of two universities

Universities and many of their controlled entities are registered as charities. They can attract significant donations and bequests from public, private and corporate philanthropists. Some bequests are tied to specific research activities, and in order to comply with the terms of the bequest, the university may not use the funds for other purposes.

Overall philanthropic contributions to universities increased slightly by two per cent from $203 million in 2022 to $207 million in 2023. However, eight universities experienced a decrease in philanthropic contributions in 2023. University of New South Wales received additional philanthropic contributions of $20.9 million in 2023, which brought its total philanthropic contribution amounts to $71 million in line with The University of Sydney’s $72.2 million in 2023.

The University of Sydney and University of New South Wales attracted 69.2% of total philanthropic contributions in 2023 (61.6% in 2022). The newer, smaller and non-metropolitan universities have been least able to attract donations.

The graph below presents donation revenue received by each university in 2023.

Source: Universities’ consolidated financial statements (audited).

Total research income for universities was $1.6 billion in 2022

Research income statistics for 2023 are not available from the Australian Department of Education until December 2024, so there is a time lag in reporting this key measure.

Universities’ total research income decreased by $78 million (4.7%) in 2022 compared to 2021. However, overall universities’ research income increased over the five years from 2018 to 2022. It increased by $347 million (28.6%) from $1.2 billion to $1.6 billion, mostly due to increased industry and other funding and other public sector research funding of a combined $243 million.

The University of Sydney and University of New South Wales collectively attracted 64.4% of total research income for all universities (69% in 2021). The graph below shows research income by university in 2022.

Source: Australian Department of Education statistics on Higher Education Research Income (audited).

Expenses

A snapshot of combined expenses at universities in NSW for the year ended 31 December 2023 is shown below.

Note: The numbers above have been rounded to the nearest $0.1 billion.
Source: Universities’ consolidated financial statements (audited).

Source: Universities’ consolidated financial statements (audited).

Universities’ combined expenses increased by 11.3% in 2023

Combined expenses for universities totalled $12.6 billion in 2023, representing an increase of $1.4 billion (11.3%) from 2022. Most of this increase was due to higher employee related expenses and other expenses for universities.

The outbreak of the COVID-19 pandemic put immediate financial pressure on the sector and universities responded by implementing cost saving measures. However, since 2022, universities’ combined expenses are now greater than pre-pandemic levels. As universities return to normal operations, combined ‘other’ expenses (including travel and entertainment, staff development, consultants, and repairs and maintenance) increased by $565.2 million in 2023 to $3.8 billion. Some key contributors to this year’s increase in other expenses are:

• travel, entertainment and staff development expenses increased by $72.2 million (53%)
• repairs and maintenance expenses increased by $70 million (28.8%)
• agents’ commission increased by $66 million (37.3%)
• consultant and professional services expenses increased by $27.3 million (21.1%).

The total expenses for each university in 2023, and the change since 2022, is shown below.

Source: Universities’ consolidated financial statements (audited).

Expenses at all universities increased in 2023, the largest increase being employee related expenses. This accounted for nearly 50% of the increase in expenses compared to the previous year. The University of Sydney and University of New South Wales recorded the largest increases in expenses, of $370 million and $264.1 million respectively.

Employee related expenses increased 10.2% in 2023

Combined employee related expenses for universities increased to $6.9 billion in 2023, up by $709.2 million (10.2%) from 2022. The movement was partially due to growth in full-time equivalent (FTE) staff numbers of 2,830 (seven per cent), and wage increases in line with enterprise agreements. Universities increased staffing levels to support increased strategic projects, teaching and research activities and to improve student services.

Redundancy expenses were $25.6 million in 2023 compared with $16.5 million in 2022. However, the number of positions made redundant during the year fell from 337 to 299 in 2023.

Combined expenses from wage underpayments were $36.1 million in 2023, down from $73.1 million in 2022.

The graph below shows the key components of expenses for each university in 2023.

Source: Universities’ consolidated financial statements (audited).

Employee related expenses represent the major portion of expenses at each university and ranged from 49% to 61% of total expenses.

Controlled entities

The number of universities’ controlled entities increased

Four new controlled entities were created (one each for Southern Cross University and Western Sydney University and two for The University of Sydney), which increased the total number of controlled entities from 74 to 78 this year. Controlled entities, whether based in Australia or overseas, experienced overall declines in their operating results.

Of the 78 controlled entities, 12 were non-operating entities at 31 December 2023 (12 in 2022), including corporate trustees that do not trade and entities that have ceased to operate due to business rationalisation.

Many of the universities’ controlled entities were impacted by the COVID-19 pandemic, but none closed as a result. 51 of 54 controlled entities that prepared 31 December 2023 financial statements were able to demonstrate they were going concerns. Some controlled entities experiencing continuing losses required financial support from the parent entity to meet their financial commitments. Seventeen universities’ controlled entities reported losses in 2023 (17 in 2022). Twenty-nine of the universities’ controlled entities required letters of financial support from their parent in 2023 (30 in 2022).

The table below details the number of universities' controlled entities.

∗ These universities had new controlled entities in 2023.
Source: University and controlled entities' financial statements (audited).

Source: Management letters issued by the Audit Office for the parent universities.

Source: Agencies’ enterprise risk registers (unaudited).

Financial sustainability, cyber and information technology and workforce related risks were the most common risks recognised by NSW universities. One university recognised climate and environmental risks within their top three risks.

Cyber security forms part of the top three risks of most universities. Due to the increasing prevalence of this risk, a separate chapter has been dedicated in this report to focus deeper on the general cyber risk environment for universities. It analyses how universities have assessed cyber risk, what frameworks are used to implement controls over those risks, and the extent to which these controls are implemented. Refer to Chapter 5 Cyber Security in this report.

Internal audit function

The Institute of Internal Auditors (IIA) defines internal auditing as;

All NSW universities operate an internal audit function as outlined in TPP 20-08 Internal Audit and Risk Management Policy, which is used as best practice guidelines within the university sector. The policy outlines the internal audit function is to provide timely and useful information to management on:

• the adequacy of and compliance with the system of internal control
• whether agency results are consistent with established objectives
• whether operations or programs are being carried out as planned.

All universities have established an internal audit function and internal audit plans that have been endorsed by their respective audit and risk committee (ARC). Internal audit functions are generally performed via a combination of internal staff and external service providers. Two universities have a fully operational in-house internal audit function. The remaining universities outsource the function or have a combined approach, see details below:

Source: Audit Office analysis.

Forty per cent of internal audit functions have not been independently evaluated

Four universities’ internal audit functions were not subject to an external evaluation in the last five years. Whilst not mandatory for NSW Universities, TPP 20-08 requires agencies should ensure an external assessment of the internal audit function is conducted by a qualified, independent assessor selected in consultation with the audit and risk committee at least once every five years.

Ninety-nine internal audit recommendations are greater than 12 months old

Eight universities collectively had 99 internal audit recommendations that have taken more than 12 months to address.

Timely implementation of long tail recommendations is dependent on the complexity of the recommendations. Management at the respective universities have advised delays in addressing these recommendations is mainly due to:

• time taken to procure and or implement new systems or applications that are designed to address the risks
• original recommendations/actions often become a part of an enterprise-wide delivery program that are delivered on a larger scale in and often in a staged approach.

Six universities did not complete internal audits of their controlled entities in 2022 and 2023

There are 78 controlled entities incorporated in Australia or overseas that are controlled by NSW universities, with most of these entities (nearly 85%) being operational. Six universities did not complete internal audits of their controlled entities in 2022 and 2023. There were only four universities that incorporated their controlled entities into their internal audit plans for both 2022 and 2023.

Controlled entities may operate in different jurisdictions and in some instances can be subject to less formalised oversight and governance compared to the parent entities. Universities should consider the need for incorporating controlled entities on a risk basis into their respective internal audit plans.

Audit and risk committees

The universities enabling legislation outlines the functions of the governing authority is to oversee risk management and risk assessments across the university. Governing authorities have established an Audit and Risk Committee (ARC) to assist in overseeing risk management, internal controls, governance processes and regulatory compliance.

Treasury policy TPP 20-08 Internal Audit and Risk Management Policy defines an ARC as a committee established to 'monitor, review and provide advice and guidance about the agency's governance processes, risk management and internal control frameworks and external accountability obligations.’ This policy is used as better practice for NSW universities.

All universities have established an audit and risk committee and charter

All ten universities have established an ARC, whose responsibilities and governance is underpinned by a charter or terms of reference. The majority of NSW universities reported holding ARC meetings on average five times during the year.

The ARC charter should, at a minimum include objectives of committee, authority of the committee, composition, tenure and reporting lines. Best practice guidelines outline that for the ARC to effectively perform its role, meetings should be held at least quarterly. This is also dependent on the size and complexity of the agency.

Most universities reviewed their ARC charter in the last 12 months

TPP 20-08 requires committee charters to be reviewed at least annually and the review should be performed in consultation with the appropriate accountable authority. Southern Cross University did not review their charter in 2023 however has since completed a review in April 2024.

The policy outlines the importance of periodic reviews to ensure ongoing relevance and the charter is sufficiently detailed to ensure there is no ambiguity on roles and responsibilities.

Source: Quality Indicators for Learning and Teaching 'Graduate Outcomes Survey National Report 2023’ published May 2024, funded by the Australian Department of Education.

Overseas student graduates’ employment rates continued to be consistently lower than those for domestic graduates. However, the 2023 survey showed average employment rates have improved since 2022 due to the strong recovery of the Australian labour market.

The national survey data notes that overseas graduates are considerably more likely than domestic graduates to undertake further full-time study. The 2023 data indicates that four to six months after course completion, 25.9% of international undergraduates were enrolled in further full-time studies, compared to 17.6% of undergraduate domestic students. Electing to undertake further study can contribute to the lower rates of labour force participation and employment outcomes for overseas graduates.

Student enrolments by field of education

Enrolments at universities improved the most in Health, IT and Engineering in 2023

Overall enrolments increased by 4,247 full-time equivalent (FTE) students in 2023 from approximately 279,277 FTE to 283,524 FTE students. This is a significant improvement when compared to the 12,000 FTE student enrolment decrease experienced last year. The largest increases in student enrolments at universities in NSW in 2023 were in:

• Information Technology, Engineering and Related Technologies courses, with approximately 4,708 more enrolments compared to 2022 (11% increase)
• Health related courses, with approximately 2,144 more enrolments compared to 2022 (five per cent increase).

The upward trend in enrolments reflect both Commonwealth and State government initiatives to address skill shortages, particularly in areas of national priority such as Health. The ‘Australian Universities Accord Report’ also recently highlighted skills shortages in areas such as Health.

The largest decreases in student enrolments at universities in NSW in 2023 continued to be seen in:

• Society and Culture courses, with approximately 2,921 fewer enrolments compared to 2022 (four per cent decrease)
• Science related courses, with approximately 534 fewer enrolments compared to 2023 (one per cent decrease).

The graph below shows the movement in student enrolments by field of education between 2022 and 2023.

Note: EFTSL is Equivalent Full-Time Student Load.
Source: Student numbers are provided by universities (unaudited).

Modes of learning

Face to face course delivery remains the most common mode of learning

On average, face to face delivery of courses remains the most common mode of learning across NSW universities. In 2023, approximately 52% of courses were exclusively delivered face to face compared to 45% in 2022.

Universities are delivering courses via online learning, face-to-face or a hybrid approach of online and face-to-face learning. On average, universities delivered:

• 20% of their courses primarily online (21% in 2022)
• 52% of their courses primarily face-to-face (45% in 2022)
• 28% of their courses both online and face-to-face (34% in 2022).

Source: Modes of Learning percentages provided by universities (unaudited).

Face to face course delivery is more prevalent for metropolitan universities

The high levels of online learning in 2021 was due to COVID-19 restrictions resulting in universities shifting their course delivery from being predominantly face-to-face to online. In 2021, four metropolitan universities delivered most of their courses primarily through online methods. This shifted in 2022 when COVID-19 restrictions eased and reduced further in 2023 with metropolitan universities delivering on average eight per cent of their courses online (11% in 2022). Most courses were delivered face to face.

Online course delivery is more prevalent for non-metropolitan universities

Most of the non-metropolitan universities delivered on average 32% of their courses digitally (32% in 2022). When comparing to pre-COVID-19 levels, non-metropolitan universities have increased the extent of courses being delivered online.

Universities use a combination of both internally and externally managed learning platforms, with internally managed platforms supported by third party software. Thirty per cent of universities manage their own online platform or application, with the remainder outsourcing.

All universities have performed evaluations on the quality and effectiveness of their online service delivery over the last 12 months, some of which include student experience surveys and reviews of online content against externally published quality standards. Much of this is done as part of general course evaluation procedures.
Additionally, all universities confirmed they have evaluated their digital learning platforms as part of their cyber security assessments.

Students from low SES backgrounds

In 2009, the Australian Government set a target for 20% of university undergraduate enrolments to be students from low socio-economic status (SES) backgrounds by 2020. The Australian Universities Accord report released in February 2024, confirmed this target was not met in part because of higher-than-expected growth in the total undergraduate population in Australia.

Enrolment statistics for 2023 are not expected to be available from the Australian Department of Education until late 2024 and the following analysis is based on 2022 published data.

Five universities reported that they enrolled more students from low SES backgrounds than the target

The 2022 results for universities in NSW showed five universities achieved enrolments of more than 20% of domestic undergraduate students from low SES backgrounds. These were the same five universities who achieved the 20% target in 2020 and 2021. Western Sydney University was the only metropolitan university to achieve this target.

Universities in NSW reported a decline in the total number of low SES domestic undergraduate student enrolments, from 40,521 in 2021 to 35,110 in 2022. Overall, domestic undergraduate student enrolments (headcount) in NSW decreased by 3.5% in the same period from 230,379 in 2021 to 222,305 in 2022.

Universities can continue to improve outcomes for these students by consistently setting internal targets, tracking achievement against those targets, implementing policies to increase enrolments and supporting students to graduation.

Reported enrolments of domestic undergraduate students from low SES backgrounds in 2022 for universities as a percentage of total domestic undergraduate students is shown in the graph below.

Source: Australian Department of Education 2022, Section 11: Equity groups.

Enrolment of Aboriginal and Torres Strait Islander students

In March 2017, Australian universities committed to achieving growth rates for enrolments of Aboriginal and Torres Strait Islander students to exceed the growth rate of enrolments of other domestic students by at least 50%. This was the first whole-of-sector strategy to support the advancement of Aboriginal and Torres Strait Islander people in and through Australia’s universities. In March 2022, Universities Australia published their Indigenous Strategy 2022-25, reflecting the sector’s continued commitment to improving completion rates.

Aboriginal students are defined as ‘students who identify as being of the First Nations peoples of the land and waters now called Australia and includes Aboriginal and Torres Strait Islander peoples’.

The 2022 results for universities in NSW showed only University of Technology Sydney (UTS) achieved the 2017–20 target growth rate for students enrolled from Aboriginal backgrounds, compared to seven universities in 2021.

Overall enrolments of Aboriginal students in 2022 have declined

Apart from one metropolitan based university (UTS), all other NSW universities reported a decline in the overall number of Aboriginal student enrolments. In 2022 overall enrolments of Aboriginal students declined by 190 students, taking the total number in 2022 to 7,397 (7,587 in 2021). This represents a decline of 2.5% since 2021. Overall, non-Aboriginal student enrolments in NSW also decreased by 3.9% in the same period, from 308,748 in 2021 to 296,553 in 2022. Consequently, the target growth rate for enrolments of Aboriginal and Torres Strait Islander students could not be achieved in 2022.

Whilst most of the regional universities have higher levels of Aboriginal student enrolments as a percentage of domestic students, they also experienced the largest decline in total Aboriginal students enrolled in 2022.

The Aboriginal students enrolled in 2022 by university is shown below, together with the change in Aboriginal students enrolled since 2021.

Source: Australian Department of Education, Student Data 2022, Section 11: Equity groups. Table 11.5 All domestic students by State.

The following graph shows Aboriginal students in 2022 as a percentage of total domestic students at each university.

Source: Australian Department of Education, Student Data 2022, Section 11: Equity groups.

Australian Universities Accord Report 2024

The 2024 Department of Education’s ‘Australian Universities Accord Final Report’ (the Review) examined Australia’s higher education system. The Review made 47 recommendations to assist with creating a long-term reform plan for the higher education sector with the goal of meeting Australia’s future skill needs.

The review highlighted concerns around skill shortages combined with declining completions rates and there is a need for reform sector wide. The report also underscores the critical need for collaboration among universities, government, and industry to address challenges facing the higher education sector effectively.

The review also outlined the need:

• for equitable higher education system, ensuring growth for skills through greater equality
• to set and meet more ambitious enrolment and equity targets, especially for those cohorts of underrepresented groups
• to adopt flexible learning models to meet diverse student needs while maintaining academic standards
• for the critical role of universities in driving and enhancing research and innovation
• for adapting to new technologies and embracing flexible learning models
• for transparency and accountability in how funds are allocated, ensuring that resources are effectively utilised to enhance the quality and accessibility of education for all students.

Source: Annual Work Program 2023-26 | Audit Office of New South Wales (nsw.gov.au).

Our previous reports have covered cyber security on large entities in the NSW state government as part of our Internal controls and governance 2023 report, and specific agencies such as the Managing cyber risks in Transport for NSW and Sydney Trains. We have also recently tabled a performance audit report into Cyber security in local government. Each report has highlighted cyber security insights in the context of their sector and operations. While the university sector has its own context, there are still some themes and insights that apply across contexts and sectors.

Reported cyber security incidents in education sector

Australian Signals Directorate (ASD) note in their ASD Cyber Threat Report 2022–23 that 6.7% of reported cyber security incidents were in the educational and training sector, the fourth most targeted sector.

Source: ASD Cyber Threat Report 2022–23.

Cyber security risks in the university sector

Common specific cyber risks for universities include the personal and private information they hold and share, and the research data and similar information they work with, including in areas of critical infrastructure.

All ten universities work with and share information with local, state, commonwealth and foreign governments. The relationships with these government agencies take various forms including teaching, research, consultancy, and other types of partnerships, as well as cooperation with regulatory requirements.

All ten universities rely on their faculties and divisions to identify the contractual security requirements when working with other organisations, primarily as part of the establishment of new partnerships. Contractual agreements and legislation drive the security requirements for those partnerships, and universities evaluate those agreements within their commercial, legal and research offices.

Data being shared through government relationship includes payroll and employee related data, student enrolment data, and various types of research data. Some of the data is classified for national security purposes under the Australian Government Protective Security Policy Framework.

The Security of Critical Infrastructure Act 2018 (SOCI) was amended in 2022 to include the Higher Education and Research sector. This Act places obligations on universities to (among others) identify functions, systems and data which meet the definition of a critical education asset, and to notify the Commonwealth Government when cyber security incidents occur in relation to these assets.

Critical Infrastructure assets are attractive targets for malicious cyber activity due to their connection with essential services, including national defence (source: ASD Cyber Threat Report 2022–23).

None of the ten universities have identified relevant functions, systems or data that meet the SOCI criteria

It is not clear that the inclusion of higher education in the legislation has led to a change in how universities operate or report. While universities work with critical infrastructure entities such as defence, health, transport, utilities, and telecommunications, all ten universities advised that no critical assets have been identified as defined in the SOCI legislation.

The actual processes to identify and evaluate these SOCI requirements varied across the universities. Capability varied from proactive and regular evaluations to reactive responses. Proactive evaluation of SOCI requirement is performed during contract creation, and in some universities, it also is performed periodically by the cyber security team and/or the critical infrastructure working group. Example of reactive response is when universities respond to information raised by individuals, researchers, or internal audit over potential SOCI compliance requirements.

In an environment of changing cyber security risks, evolving cyber security practices, and the potential for researchers to engage in new fields involving critical infrastructure entities, universities need processes to identify any emerging critical education assets that need to be managed in accordance with the SOCI Act.

All ten universities follow AS/NZS ISO 31000:2018 Risk Management – Principles and Guidelines. This standard describes a process of:

• identifying risks based on the external environment and factors specific to the entity
• assessing the severity of the risks based on the likelihood and impact should they occur
• determining a risk appetite for the entity; the severity of risks they can accept
• responding to risks outside appetite, typically by treating them to reduce the likelihood or impact to bring them within appetite.

Chief Information Security Officers participate in the identification of the cyber security risks through activities such as:

• workshops from stakeholders
• gap assessments against industry frameworks and benchmarks
• internal and external audit findings
• cyber security threat intelligence
• internal monitoring and vulnerability testing.

All ten universities identified cyber security risks, and controls over those risks, as part of their risk management process, recording between one and 43 risks arising from cyber security.

One university has recorded some detail but has not identified or documented what specific controls they have over the risks, or who performs the controls.

Seventy per cent of universities have cyber security risks above their risk appetite

Residual risks at the ten universities were rated between moderate and critical after considering the effectiveness of controls. All ten universities have defined a risk appetite statement for the risks arising from cyber security. Though senior management have defined the risk appetite as being the amount and type of risk they were willing to accept, 70% (seven of the ten) of the universities have evaluated that cyber security risks are above their risk appetite. One other university had not completed their cyber security risk assessment and evaluated it against their risk appetite.

Risks outside appetite mean that the universities see their cyber risk as being at an unacceptable level, putting their organisational objectives at risk.

Only two of those seven universities have formally accepted the risks that are outside their risk appetite, with formal approval from the executive level. The remaining five universities had their audit and risk committees informed of the level of risk and the progress on planned measures to reduce the level of risk.

It is not uncommon for risk to be assessed as outside appetite in organisations with mature and robust risk management frameworks, particularly in relation to novel or fast-moving threats and risk vectors. Clear and realistic evaluation of risks and control effectiveness is an essential element of good governance, and allows for well informed decisions over cyber security improvement investment priorities. However, it is important that risks are not permitted to remain outside appetite for longer than absolutely necessary.

Some of the universities that have not identified risks outside of their appetite do not demonstrate the same level of detail in their assessments, and therefore their assessments appear less robust and more prone to inaccuracy.

Assessment of cyber security maturity

Universities are not mandated to apply a specific cyber security framework, unlike federal and state government agencies. All ten universities have now adopted the use of at least one cyber security framework with most using more than one framework.

The most common framework used is NIST CSF (National Institute of Standards and Technology - Cybersecurity Framework), This framework was developed and is maintained by United States Department of Commerce, and is broadly applicable and widely used across many industries and in many countries. Nine universities use this framework to some extent.

The second most common is the Essential 8 framework from the ACSC (Australian Signals Directorate - Essential Eight). While this is far more limited in its scope, it is also widely used among some sectors, particularly commonwealth and state government sectors, and sets a minimum baseline to address the most commonly seen cyber attacks. Eight universities use or refer to this framework.

Other frameworks referenced include ISO27001, and the Commonwealth Government Information Security Manual.

Source: Audit Office analysis.

The chart above shows the journey of cyber security frameworks adoption by universities from 2021 to 2023. From the charts we could see:

• In 2021, one of the ten universities had not adopted any framework. In 2023, all ten universities have adopted a framework.
• The adoption of either ACSC E8 or the NIST Framework are continuously increasing from 2021 to 2023. In 2023, 70% (seven of ten universities) have used both frameworks as their main guidelines.
• NIST framework is the most common framework used by universities. Nine of the ten universities have adopted this framework.

Both the NIST CSF and the Essential 8 frameworks are supported by maturity models – a tiered measurement tool that shows the relative effectiveness of security controls within an organisation. These tools provide:

• a quantitative measure of cyber security across organisations in similar environments
• a useful and standardised method for identifying gaps in an organisation’s cyber security practices, and
• guidance on the required improvement areas to reach the next tier of maturity.

Nine of the universities assessed their current practices against one or more of these maturity models, and have used this assessment to guide their direction. Six universities engaged external parties to perform the assessment while the other two universities used internal resources for the review.

One university did not assess their current cyber security maturity

One of the ten universities did not assess its current cyber security maturity and capability in 2023.

Cyber security uplift programs

Cyber security uplift programs aim to improve cyber resilience, identify and reduce vulnerabilities and assess security risks across the university. These cyber security uplift programs are of increasing importance as the frequency and sophistication of cyber security attacks continues to grow. The development of these programs also utilises the evaluation of current cyber security practices, assessment of maturity against established cyber security frameworks, setting target maturity levels and defining plans to reach those targets.

Four universities did not have a formal cyber security uplift program

Two universities had neither defined a target state for cyber security capability, nor had a cyber security uplift program during 2023. A further two universities did have maturity targets but did not have a program in place.

These four universities are developing or obtaining approval for their cyber security uplift programs to run from 2024.

One university did not have a specific budget for cyber security

Nine of the ten universities allocated between $900,000 to $12.4 million on cyber security for 2023. This equated to 0.15% to 0.42% of total operating expenditure. The allocated budget included both operating expenditure and, where they existed, funding for the uplift program.

One university did not have a specific budget for cyber security.

Eight universities have set annual targets to meet their cyber security maturity targets. The two universities that do not have annual targets are still developing their uplift programs. Current and forward cyber security uplift programs to achieve their target had the following target timeframes:

• 4 universities with programs to achieve their target state by the end of 2024
• 4 universities with programs with a target state by end of 2026. However, one of them has not defined their year-on-year target
• 1 university with a program to achieve their target state by 2027, but is yet to define their year-on-year target
• 1 university with a program to achieve their target state by 2030
• 1 university considers their forward program as ongoing with no target timeframe
• 1 university is still developing their program and has not defined their timeframe.

The table below shows whether universities:

• have cyber residual risk beyond their risk appetite
• know their current maturity based on formal assessment
• have defined a formal cyber uplift program; and
• have allocated funding to support their cyber uplift program.

Source: Audit Office analysis.

We note the following key highlights:

• 3 of the seven universities with residual risks beyond the risk appetite have not defined their uplift program, and therefore do not have a plan to address this gap. One of these three has also not allocated any specific funding for improving its cyber security in 2023.
• 4 of the seven universities with residual risks beyond their risk appetite have performed their maturity assessment, defined an uplift program, and allocated specific funding which demonstrates a more proactive approach to managing their cyber security risks.
• 1 university has not performed a maturity assessment to understand if their cyber security residual risk is within their risk appetite.