Report snapshot
About this report
Financial audit results of the NSW public universities’ financial statements for the year ended 31 December 2023.
Audit findings
Unmodified audit opinions were issued for all ten universities.
Eight universities reported net deficits. Three of these improved on their 2022 results.
Total fees and charges returned to pre-pandemic levels, with 40.5% earned from overseas students from three countries.
Employee related expenses increased 10.2% in 2023 mainly due to an additional 2,830 full time equivalent staff, in response to increased teaching and research activities.
Key issues
The number of findings reported to management has increased to 111 matters in 2023 up from 88 in 2022.
These included one high risk finding and 62 moderate risk findings, a 72% increase from last year.
Gaps identified in universities governance processes included delays in responding to findings and recommendations; staff not attesting compliance with codes of conduct annually; and not capturing and recording staff conflicts of interests within central registers.
Seven of the ten universities have cyber security risks above what they determine as an acceptable risk. Four universities did not have a cyber security uplift program.
Recommendations
Universities should address all recommendations made in the report (see Appendix one for a summary of these).
In particular, there should be a focus on prioritising remediation of wage underpayments to affected employees; ensuring a centralised conflict of interest register is maintained for all staff; considering emerging risks in university risk registers; ensuring controlled entities are considered when determining internal audit plans; and focusing efforts to improve cyber security risk management and cyber resilience capability.
Fast facts
1. Introduction
This report provides NSW Parliament with the results of our 2023 financial audits of universities in New South Wales and their controlled entities, including analysis, observations and recommendations in the following areas:
- financial reporting
- internal controls and governance
- teaching and enrolments
- cyber security.
1.1 Overview of NSW universities
1 Eleven entities were exempt from reporting requirements in 2023. Further details are in section 2.1 of this report.
2 Eleven entities did not prepare and submit annual financial statements for audit in accordance with the requirements of the Government Sector Finance Act 2018 in 2023. Two new controlled entities did not need to submit annual financial statements for the year ended 31 December 2023 as their annual reporting period was the period of 12 months commencing on 1 July 2023. Further details are in section 2.1 and section 2.3 of this report.
3 Equivalent Full-Time Student Load (EFTSL) represents the equivalent full-time study load for one year.
4 Full-Time Equivalent (FTE).
Source: Student and staff numbers are provided by universities (unaudited).
2. Financial reporting
Financial reporting is an important element of good governance. Confidence and transparency in university sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines audit observations related to the financial reporting of universities in NSW for 2023.
Section summary
- The 2023 financial statements of all ten universities received unmodified audit opinions.
- Provisions for wage remediation across NSW universities increased by 66% to $183 million at 31 December 2023.
- Eight universities reported net deficits in 2023. Three of these improved upon their 2022 results. The remaining five reported higher deficits than those reported last year.
- Revenue from overseas students increased by 12.7% in 2023, as the number of overseas student enrolments increased by 12%.
- 40.5% of fees and charges revenue in 2023 came from overseas students from three countries (down from 41.5% in 2022).
- Revenue from domestic students increased by 2.4% in 2023.
- Combined expenses increased by $1.4 billion to $12.6 billion in 2023. Nearly half of this increase was attributed to higher employee related expenses.
2.1 Quality of financial reporting
Audit results
Unmodified audit opinions were issued for all ten NSW universities
Unmodified audit opinions were issued for all ten universities' 31 December 2023 financial statements. Sufficient and appropriate audit evidence was obtained to conclude the financial statements were free of material misstatement.
Unmodified audit opinions were issued for all completed audits of university controlled entities
Of the 78 university controlled entities in 2023:
- 52 received unmodified audit opinions
- 11 entities were exempted from the Government Sector Finance Act 2018 (GSF Act) reporting requirements
- 11 entities did not prepare and submit annual financial statements for audit in accordance with the GSF Act requirements (refer to section 2.3 for further details)
- the audits of two entities remain in progress
- 2 new controlled entities did not need to submit annual financial statements for the year ended 31 December 2023 as their annual reporting period was the period of 12 months commencing on 1 July 2023.
Division 2 of the Government Sector Finance Regulation 2018 (GSF Regulation) exempts certain entities from preparing financial statements under the GSF Act if all of the following criteria are met:
- the assets, liabilities, income, expenses, commitments and contingent liabilities of the entity are each less than $5 million
- the total cash or cash equivalents held by the entity is less than $2.5 million
- at least 95% of the entity’s income is derived from money paid out of the Consolidated Fund or from money provided by other relevant agencies
- the entity does not administer legislation for a minister by or under which members of the public are regulated.
These provisions exempted 11 university controlled entities from GSF Act reporting requirements in 2023 (12 in 2022). Entities that are exempted from financial reporting obligations are not audited by the Auditor-General.
The number of identified monetary misstatements decreased in 2023
A monetary misstatement is an error in amount recognised in the financial statements initially submitted for audit.
Twenty-four monetary misstatements were identified during the audits of universities' financial statements in 2023 (27 in 2022). Sixteen of these misstatements with a gross value of $183.2 million were corrected in 2023 (19 in 2022 with a gross value of $173 million). The number of uncorrected misstatements was eight (same in 2022) with a gross value of $15.3 million in 2023.
The table below shows the number and quantum of monetary misstatements for the past two years.
Year ended 31 December | 2023 | 2022 | ||
Corrected misstatements | Uncorrected misstatements | Corrected misstatements | Uncorrected misstatements | |
Less than $50,000 | 0 | 0 | 2 | 0 |
$50,000 to $249,999 | 0 | 0 | 3 | 0 |
$250,000 to $999,999 | 2 | 2 | 2 | 5 |
$1 million to $4,999,999 | 6 | 6 | 4 | 1 |
$5 million and greater | 8 | 0 | 8 | 2 |
Total number of misstatements | 16 | 8 | 19 | 8 |
Source: Engagement Closing Reports issued by the Audit Office of New South Wales.
Of the 16 corrected monetary misstatements in 2023, eight had a gross value greater than $5 million and related to the following:
University | Description of corrected misstatements > $5 million |
The University of Sydney |
|
University of Wollongong |
|
Western Sydney University |
|
2.2 Timeliness of financial reporting
All entities met the statutory timeframe for submitting draft financial statements for audit
All ten universities and their controlled entities met the reporting deadlines for submitting their 2023 financial statements.
The Treasurer’s Direction TD 21-03 ‘Submission of Annual GSF Financial Statements to the Auditor-General’ issued on 16 June 2021 requires GSF agencies to submit their draft financial statements for audit within six weeks of the end of the annual reporting period.
At the date of this report, the audits of two university controlled entities’ financial statements are ongoing.
The Audit Office’s Independent Auditor’s Reports on universities’ financial statements for 2023 were issued between 25 March 2024 and 23 April 2024. Audit completion dates are presented in the following diagram.
Note: Audit completion dates for University of Newcastle were the same in both years.
Source: Independent Auditor’s Reports issued by the Audit Office.
2.3 Common accounting issues
Wage remediation provisions increased by 66% in 2023
More universities have provided for wage remediation liabilities, and the value of these provisions also increased in aggregate.
Complexity in enterprise agreements and inconsistent interpretation of the terms within those agreements meant that for several years, universities did not make accurate payments to certain staff. While the universities will not seek to recover overpayments to their staff, they accept the need to redress underpayments.
NSW universities have recorded provisions of $183 million in aggregate at 31 December 2023 ($110 million in 2022) relating to the historical underpayment of staff wages and entitlements. While conducting reviews of compliance with enterprise agreements, six universities engaged an expert to assess the full scale of underpayment. Identification of further instances of underpayment, and new categories of underpayment in 2023 have contributed to the overall increase in provisions.
Universities have collectively remediated $9.7 million during the year to staff identified as underpaid ($27.9 million in 2022). The provisions balance of $183 million at 31 December 2023 represented estimates of amounts still owing, or likely to be owing, to staff the universities identified as at risk of having been underpaid.
Three universities reported implementing procedures to mitigate the risk of future staff underpayments, while six universities continue to progress mitigation actions.
Some small university controlled GSF entities did not comply with legislative obligations to prepare financial statements
The GSF Regulation offers exemption to certain small agencies from reporting obligations under Part 3A Division 2, section 9D. The criteria specifies thresholds, which if met by the agencies exempts them of reporting and therefore audit requirements.
Advice from NSW Treasury in late 2023 on the interpretation of exemption criteria identified an issue relating to entities applying the ‘small agencies’ exemption criteria.
An entity that receives no income would not meet the third criteria in section 9D of the GSF Regulation that ‘at least 95% of the agency’s income is derived from money paid out of the Consolidated Fund or money provided by other GSF agencies’. Therefore, these entities are required to prepare and submit financial statements for audit under section 7.6 of the Government Sector Finance Act 2018 (GSF Act).
NSW Treasury advised it intends to correct this matter through a change to the GSF Regulation in 2024. Until resolved, this will be reported as a non-compliance for impacted agencies, including impacted university controlled entities. In 2023, the Audit Office reported 11 instances of non-compliance relating to this matter (ten instances in 2022).
RecommendationsUniversities should prioritise remediation of wage underpayments to affected employees. Universities should ensure controlled entities comply with the GSF Act reporting obligations. |
2.4 Financial performance
Financial results
Two NSW universities reported positive net results in 2023 (one in 2022). Five universities’ net results improved from 2022.
The graph below shows the net results of individual universities for 2023 and 2022. When comparing the financial performance of universities in this report, the impacts of how universities accounted for the Education Australia Limited (EAL)/IDP Education Limited (IDP) transaction and the related franking credits have been excluded from each university’s results in all years.
Source: Universities’ consolidated financial statements (audited).
Key drivers behind the universities’ 2023 results were:
- increases in combined expenses by $1.4 billion to $12.6 billion in 2023. Nearly 50% of this related to higher employee related expenses, increasing by $709.2 million in 2023 to $6.9 billion
- increases in combined investment income of $678 million, with all but one university (Macquarie University) experiencing positive investment gains in 2023. Returns on The University of Sydney’s investments contributed more than 52% of the total combined universities’ investment income
- increases in fees and charges of $519 million for nine universities, with University of New South Wales recording the highest increase of $168 million in 2023
- increased government grants of $151 million for eight universities.
The graph below presents the revenue and expenses for each university in 2023.
Source: Universities’ consolidated financial statements (audited).
Movements in revenue and expenses for each university, and for the sector as a whole, are analysed later in this report.
Revenue from operations
A snapshot of universities’ revenue for the year ended 31 December 2023 is shown below.
Note: Government grants do not include Higher Education Loan Programs, such as the Higher Education Contribution Scheme (HECS), which are included in fees and charges.
Numbers above have been rounded to the nearest $0.1 billion.
Source: Universities’ consolidated financial statements (audited).
Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Percentages above have been rounded to the nearest whole number.
Source: Universities’ consolidated financial statements (audited).
Combined revenue for universities totalled $12.5 billion in 2023, an increase of $1.5 billion (13.4%) from 2022. This was mainly driven by an increase of $678 million in investment income and $519 million in fees and charges due to the increase in overseas student enrolments (9,469 more full-time equivalent overseas students compared to 2022). Similar to last year, fees and charges continue to represent over half of universities’ total revenue in 2023.
Government grants represented 32.5% of the universities’ combined revenue in 2023
Aggregated Commonwealth, State and local government grants revenue to NSW universities increased to $4.1 billion in 2023 ($3.9 billion in 2022). As a proportion of the total revenues of all universities, government grants decreased to 32.5% (35.3% in 2022).
In previous years, various higher education reforms were proposed by the Australian Government to manage the cost of tertiary education and to reduce universities’ reliance on government grants. Prior to the COVID-19 pandemic, combined government grants as a proportion of the total revenue of universities in NSW was steadily declining, from 37% in 2015 to the lowest point in 2019 of 31.1%. From 2020, additional grant funding was provided to assist universities respond to the pandemic, which resulted in a steady increase in the proportion of grant funding compared to total revenue. While the dollar value of government grants increased in 2023, the percentage of government grants to total revenue decreased from 35.3% in 2022 to 32.5% in 2023. This was mainly due to a $678 million increase in universities’ investment income compared to the previous year, which had the effect of increasing the combined universities’ revenue and reducing the overall proportion of grant funding.
All revenue streams recorded a growth in 2023
The graph below presents the aggregated revenue streams for all universities in NSW from 2019 to 2023.
Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Source: Universities’ consolidated financial statements (audited).
Revenue from investment income recorded the strongest growth for all but one university in 2023, increasing by $678 million from the previous year.
Over the past five years, fees and charges revenue had the smallest growth rate of 2.4 %. The decrease in 2020 reflects the impact of reduced overseas student enrolments during the COVID-19 pandemic at most universities. In 2023 total fees and charges returned to pre-pandemic levels.
Trends in fees and charges revenue for NSW universities for 2019 to 2023 is presented in the following graph.
Source: Universities’ consolidated financial statements (audited).
All universities except for Charles Sturt University recorded increased fees and charges revenue in 2023. University of Wollongong recorded the highest increase of 20% when compared to other universities, largely due to an increase in overseas student revenue ($59.5 million). The University of Sydney’s fees and charges revenue was not significantly impacted by the pandemic and it was the only university which recorded an increase in fees and charges revenue in 2021 (18.1% increase from 2020) and has steadily increased its fees and charges to a high of $1.9 billion in 2023. University of New South Wales experienced a large reduction in fees and charges revenue in 2020 (12.9% decrease from 2019) however since then, this revenue has steadily recovered with fees and charges revenue in 2023 returning to 3.3% higher than its pre-pandemic level. The eight other NSW universities’ fees and charges revenue has not yet returned to pre-pandemic levels.
The following graph shows major revenue streams by universities for 2023. In 2023, three universities (four in 2022) received over 40% of their total revenue from government grants.
Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Source: Universities’ consolidated financial statements (audited).
In the current year, eight universities saw an increase in government grants from the prior year. The change in revenue from government grants at individual universities varied from a decrease of 2.9% to an increase of 10.9%.
The graph below shows Commonwealth, State and local government grants received by the universities in 2023 with the percentage change from 2022.
Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Source: Universities’ consolidated financial statements (audited).
In 2023, total course fee revenues increased by 12.7% from overseas students and 2.4% for domestic students
In 2023, combined total course fee revenues from overseas and domestic students returned to pre-pandemic levels. Universities’ overseas and domestic student course fees and charges revenue for 2019 to 2023 are presented in the following graph.
Note: Revenue from domestic students includes amounts from Higher Education Loan Programs, such as HECS, but does not include government grants for domestic students comprising the Commonwealth Grant Scheme (CGS) funding for Commonwealth Supported Places.
Source: Universities’ consolidated financial statements (audited).
Course fees and charges revenues from overseas students had been increasing steadily since 2012 to a peak of $3.6 billion in 2019. The impact of the COVID-19 pandemic’s global travel restrictions meant that between 2019 and 2022, total overseas student revenue decreased by $385 million or 10.6%. In 2023 all universities (except for Charles Sturt University) experienced an increase in overseas student revenue ranging from 3.9% to 47.1%, compared to 2022. The increase of $410.8 million in overseas student revenue in 2023 was driven by a 12% increase in the number of full-time equivalent overseas students studying at universities in NSW following the re-opening of the international border in early 2022 (from 79,123 full-time equivalent students in 2022 to 88,592 students in 2023). Nine universities increased their overseas student enrolments in 2023 compared to four universities in 2022. The increase was driven by a number of factors including government initiatives on student working rights and post-study visa rules, improved rankings for some universities in 2022, and student recruitment strategies implemented by universities post-pandemic.
In June 2023, the Department of Home Affairs published a student visa and temporary graduate visa program report which noted an increase in the number of visa rejections from 1 July 2022 to 30 June 2023. The report notes the increased visa rejection rate is due to a higher number of student visa applicants that reportedly used fraudulent documentation or information in their applications since the re-opening of the international border.
The rates of student visa applications granted between 2018–19 and 2022–23 are shown in the graph below.
Source: Department of Home Affairs, Student visa and Temporary Graduate visa program reports.
Approvals of student visas dropped from 92% in 2021–22 to 86% in 2022–23. In the last three months to December 2023, the overall rate of student visa approvals was 81.9%. NSW universities’ overseas student enrolments and revenue in 2024 are sensitive to changes in the rate of approvals of student visas.
The number of full-time equivalent domestic students decreased by 2.6% since 2022, with only three universities experiencing an increase in domestic students in the current year. From 2019 to 2023, course fees and charges revenue from domestic students grew by $103.1 million or 4.8%. However, the movement in full-time equivalent students over the five years decreased to 194,932 (5.4%) from 206,141 in 2019. The financial impact of decreases in student numbers has been offset by increases in the average student fees for domestic students.
The graph below shows the movement in domestic student enrolments and average revenue per domestic full-time equivalent student between 2019 and 2023.
Note: Average revenue per domestic full-time equivalent student includes amounts from Higher Education Loan Programs, such as HECS, but does not include government grants for domestic students comprising the CGS funding for Commonwealth Supported Places.
The graph below shows the movement in full-time equivalent student enrolments (EFTSL) between 2023 and 2022.
Note: EFTSL is Equivalent Full-Time Student Load.
Source: Provided by universities (unaudited).
In comparing average revenue per full-time equivalent student, universities earn nearly twice as much from overseas students compared to domestic students. In aggregate for NSW universities in 2023, average revenue per domestic full-time equivalent student (including amounts from Higher Education Loan Programs and CGS funding for Commonwealth Supported Places) was $22,996. The average revenue per overseas full-time equivalent student was $41,117.
The graph below shows individual universities' revenue in 2023 from overseas and domestic students. Income from overseas students exceeds income from domestic students at The University of Sydney and University of New South Wales (same in 2022). Overseas student revenue recorded by these two universities makes up over 64% of total overseas student revenue for all NSW universities.
Note: Revenue from domestic students includes amounts from Higher Education Loan Programs, such as HECS. Government grants for domestic students represents the CGS funding for Commonwealth Supported Places.
Source: Universities’ consolidated financial statements (audited).
All universities except Charles Sturt University recorded increases in overseas student revenue compared to 2022. The movement in overseas student revenue in 2023 for each university is shown in the graph below.
Source: Universities’ consolidated financial statements (audited).
Movements in overseas student revenue did not impact each university equally. Different universities attract overseas students from different countries of origin in varying proportions. Four universities’ QS World rankings (The University of Sydney, University of New South Wales, Macquarie University and University of Wollongong) improved in 2022, which may have helped these universities attract more overseas students in 2023. University of New England recorded the highest percentage increase in overseas student revenue in 2023 from 2022 (47.1%), which the university attributed in part to the implementation of its offshore recruitment strategy.
40.5% of universities’ total revenue from fees and charges in 2023 derived from overseas students from three countries
In 2023, overseas students contributed $3.4 billion in course fees to universities in NSW ($3.1 billion in 2022), increasing by $325.5 million from 2022. Students from the top three countries of origin contributed $2.5 billion in fees ($2.4 billion in 2022), which closely approximates the universities’ total revenue from domestic students for 2023. These top three countries were China, India and Nepal (same in 2022). Revenue from students from these countries comprised 40.5% (42.1% in 2022) of total student revenues for all universities, and 71.7% of total overseas student revenue in 2023.
As reported in previous Auditor-General’s report to parliament on NSW Universities, a high level of reliance on student revenue from these three countries of origin poses a concentration risk for NSW universities. Unexpected shifts in demand arising from changes in the geo-political or geo-economic landscape, or changes to visa approval rates or travel restrictions, can impact revenues, operating results and cash flows. The consequence of the risk of reliance on revenues from overseas students, when there is a lack of diversification in the countries of origin was realised as travel restrictions were implemented following the outbreak of COVID-19 in early 2020. While almost all universities’ revenues from overseas students were negatively impacted in 2020, there was a greater impact initially and less resilience in student revenues from some countries of origin over the following two years.
The graph below shows the parent universities’ revenue in 2023 from overseas and domestic student fees and charges.
Note 1: The figures used for revenue relate to students enrolled in bachelor or higher degrees at the parent university.
Note 2: Revenue from domestic students includes amounts from Higher Education Loan Programs, such as HECS.
Source: Total revenue from domestic and overseas students was sourced from universities’ parent financial statements (audited). Revenue from students by country of origin was provided by universities (unaudited).
Student enrolments from China continue to represent the largest share of overseas enrolments
The number of overseas student enrolments (by headcount) at NSW universities increased from 138,941 in 2022 to 166,178 in 2023.
All universities continue to market their educational products in international markets, focusing on countries in Asia.
The graph below shows the composition of overseas student enrolments by country of origin over the past five years.
Source: Australian Trade and Investment Commission, international student data.
Seven of the ten universities record China as the leading source of overseas student revenues. This creates a concentration risk for each university, and for the NSW university sector as a whole. In 2023, the university sector appears to have diversified their sources of overseas student enrolments. This is demonstrated in the graph above where student enrolments from China reduced from over half of total overseas enrolments in 2022 to 42.3% in 2023.
The graph below illustrates the relative reliance of each university on a single country for their overseas student revenue. Among the eight universities that recorded China as the leading source of overseas student revenues in 2022, five experienced a decrease ranging from three per cent to 26% in overseas student revenue from China in 2023. University of Wollongong changed its top country of origin from China to India, which brought the number of universities that recorded China as the leading source of overseas student revenues in 2023 to seven.
Only two universities now have over 40% of their overseas student revenue reliant on one country, compared to six universities in 2019. The highest proportion of overseas student revenue sourced from a single country of origin at individual universities ranged from 24% to 79% (2022: 20% to 84%).
Note: The figures used for revenue relate to students enrolled in bachelor or higher degrees at the parent university. The percentage has been calculated based on the university parent total overseas student revenue.
Source: Provided by universities (unaudited).
Other revenues
Philanthropic contributions to universities decreased with the exception of two universities
Universities and many of their controlled entities are registered as charities. They can attract significant donations and bequests from public, private and corporate philanthropists. Some bequests are tied to specific research activities, and in order to comply with the terms of the bequest, the university may not use the funds for other purposes.
Overall philanthropic contributions to universities increased slightly by two per cent from $203 million in 2022 to $207 million in 2023. However, eight universities experienced a decrease in philanthropic contributions in 2023. University of New South Wales received additional philanthropic contributions of $20.9 million in 2023, which brought its total philanthropic contribution amounts to $71 million in line with The University of Sydney’s $72.2 million in 2023.
The University of Sydney and University of New South Wales attracted 69.2% of total philanthropic contributions in 2023 (61.6% in 2022). The newer, smaller and non-metropolitan universities have been least able to attract donations.
The graph below presents donation revenue received by each university in 2023.
Source: Universities’ consolidated financial statements (audited).
Total research income for universities was $1.6 billion in 2022
Research income statistics for 2023 are not available from the Australian Department of Education until December 2024, so there is a time lag in reporting this key measure.
Universities’ total research income decreased by $78 million (4.7%) in 2022 compared to 2021. However, overall universities’ research income increased over the five years from 2018 to 2022. It increased by $347 million (28.6%) from $1.2 billion to $1.6 billion, mostly due to increased industry and other funding and other public sector research funding of a combined $243 million.
The University of Sydney and University of New South Wales collectively attracted 64.4% of total research income for all universities (69% in 2021). The graph below shows research income by university in 2022.
Source: Australian Department of Education statistics on Higher Education Research Income (audited).
Expenses
A snapshot of combined expenses at universities in NSW for the year ended 31 December 2023 is shown below.
Note: The numbers above have been rounded to the nearest $0.1 billion.
Source: Universities’ consolidated financial statements (audited).
Source: Universities’ consolidated financial statements (audited).
Universities’ combined expenses increased by 11.3% in 2023
Combined expenses for universities totalled $12.6 billion in 2023, representing an increase of $1.4 billion (11.3%) from 2022. Most of this increase was due to higher employee related expenses and other expenses for universities.
The outbreak of the COVID-19 pandemic put immediate financial pressure on the sector and universities responded by implementing cost saving measures. However, since 2022, universities’ combined expenses are now greater than pre-pandemic levels. As universities return to normal operations, combined ‘other’ expenses (including travel and entertainment, staff development, consultants, and repairs and maintenance) increased by $565.2 million in 2023 to $3.8 billion. Some key contributors to this year’s increase in other expenses are:
- travel, entertainment and staff development expenses increased by $72.2 million (53%)
- repairs and maintenance expenses increased by $70 million (28.8%)
- agents’ commission increased by $66 million (37.3%)
- consultant and professional services expenses increased by $27.3 million (21.1%).
The total expenses for each university in 2023, and the change since 2022, is shown below.
Source: Universities’ consolidated financial statements (audited).
Expenses at all universities increased in 2023, the largest increase being employee related expenses. This accounted for nearly 50% of the increase in expenses compared to the previous year. The University of Sydney and University of New South Wales recorded the largest increases in expenses, of $370 million and $264.1 million respectively.
Employee related expenses increased 10.2% in 2023
Combined employee related expenses for universities increased to $6.9 billion in 2023, up by $709.2 million (10.2%) from 2022. The movement was partially due to growth in full-time equivalent (FTE) staff numbers of 2,830 (seven per cent), and wage increases in line with enterprise agreements. Universities increased staffing levels to support increased strategic projects, teaching and research activities and to improve student services.
Redundancy expenses were $25.6 million in 2023 compared with $16.5 million in 2022. However, the number of positions made redundant during the year fell from 337 to 299 in 2023.
Combined expenses from wage underpayments were $36.1 million in 2023, down from $73.1 million in 2022.
The graph below shows the key components of expenses for each university in 2023.
Source: Universities’ consolidated financial statements (audited).
Employee related expenses represent the major portion of expenses at each university and ranged from 49% to 61% of total expenses.
Controlled entities
The number of universities’ controlled entities increased
Four new controlled entities were created (one each for Southern Cross University and Western Sydney University and two for The University of Sydney), which increased the total number of controlled entities from 74 to 78 this year. Controlled entities, whether based in Australia or overseas, experienced overall declines in their operating results.
Of the 78 controlled entities, 12 were non-operating entities at 31 December 2023 (12 in 2022), including corporate trustees that do not trade and entities that have ceased to operate due to business rationalisation.
Many of the universities’ controlled entities were impacted by the COVID-19 pandemic, but none closed as a result. 51 of 54 controlled entities that prepared 31 December 2023 financial statements were able to demonstrate they were going concerns. Some controlled entities experiencing continuing losses required financial support from the parent entity to meet their financial commitments. Seventeen universities’ controlled entities reported losses in 2023 (17 in 2022). Twenty-nine of the universities’ controlled entities required letters of financial support from their parent in 2023 (30 in 2022).
The table below details the number of universities' controlled entities.
University at 31 December 2023 | Total number of controlled entities | Number of non- operating entities | Number of overseas controlled entities |
Charles Sturt University | 2 | -- | -- |
Macquarie University | 14 | 8 | 1 |
Southern Cross University* | 2 | -- | -- |
University of New England | 5 | 1 | -- |
University of New South Wales | 16 | 1 | 7 |
University of Newcastle | 4 | -- | 1 |
The University of Sydney* | 5 | -- | 2 |
University of Technology Sydney | 10 | -- | 5 |
University of Wollongong | 13 | 1 | 8 |
Western Sydney University* | 7 | 1 | 1 |
Total | 78 | 12 | 25 |
∗ These universities had new controlled entities in 2023.
Source: University and controlled entities' financial statements (audited).
3. Internal controls and governance
Appropriate financial controls help to ensure the efficient and effective use of resources and administration of policies. They are essential for quality and timely decision-making. Effective governance is essential for the stability, sustainability and ethical operation of universities. It ensures accountability, transparency and promotes responsible decision making.
This chapter outlines our observations and insights from our financial statement audits of NSW universities.
Our audits do not review all aspects of internal controls and governance every year. The more significant issues and risks are included in this chapter. These, along with the less significant matters, are reported to universities for management to address.
Section highlights
|
3.1 Findings reported to management
The number of findings reported to management has increased by 26%
Breakdowns and weaknesses in internal controls increase the risk of fraud and error. Deficiencies in internal controls, matters of governance interest and unresolved issues were reported to management and those charged with governance of Universities. The Audit Office does this through management letters, which include our observations, the related implications, our recommendations and risk ratings.
In 2023, there were 111 findings raised for universities (88 in 2022). Twenty-nine per cent of all issues were repeat issues (47% in 2022).
The most common repeat issues related to user access, privileged user review, outdated policies and procedures, payroll and procurement processing deficiencies.
A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports, and in generating financial statements. This can impair decision-making, impact service delivery and expose universities to fraud, financial loss and reputational damage. Poor controls may also mean staff may be less likely to follow internal policies.
2023 audits identified one high risk finding
In 2023, the Audit Office reported one high risk finding which has been carried forward since 2018. The details of this finding is summarised below.
University | Description |
2023 findings | |
University of New England | Deficiencies were identified relating to the privileged user activity monitoring processes for three applications. This issue was first raised in 2018. Management should address these control deficiencies as a matter of priority, as long-standing control weaknesses will continue to pose as a fraud risk. |
Note: Management letter findings are based either on final management letters issued to universities, or draft letters where findings have been agreed with management.
Findings are categorised as relating to information technology, internal control deficiencies, financial reporting and governance and oversight. The table below describes the common issues identified at universities by category and risk rating.
Risk rating | Issue |
Information technology | |
High: 0 new, 1 repeat Moderate: 24 new, 3 repeat Low: 4 new, 2 repeat | The financial audits identified deficiencies that need to be remediated to improve information technology processes and controls that support the integrity of financial data used to prepare universities’ financial statements. Of particular concern are issues associated with:
|
Internal control deficiencies or improvements | |
High: 0 new, 0 repeat Moderate: 10 new, 8 repeat Low: 9 new, 5 repeat | The financial audits identified internal control deficiencies across key business processes, including:
|
Financial reporting | |
High: 0 new, 0 repeat Moderate: 5 new, 3 repeat Low: 15 new, 2 repeat | The financial audits identified deficiencies that need to be remediated relating to financial reporting, including:
|
Governance and oversight | |
High: 0 new, 0 repeat Moderate: 6 new, 3 repeat Low: 6 new, 5 repeat | The financial audits identified deficiencies that need to be remediated for universities to improve governance and oversight processes, including:
|
High risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
Moderate risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
Low risk from the consequence and/or likelihood of an event that has had, or may have a negative impact on the entity.
Note: Management letter findings are based either on final management letters issued to agencies, or draft letters where findings have been agreed with management.
The number of moderate risk findings significantly increased from prior year
Sixty-two moderate risk findings were reported in 2023, representing a 72% increase from 2022. Of these, 17 were repeat findings, and 45 were new issues.
Moderate risk findings mainly related to:
- weaknesses in user access management such as untimely access removal for terminated staff, access provided without formal approval, and a lack of periodic user access review
- lack of monitoring of privileged user accounts and changes made by privileged users
- employee related including salary underpayments, timesheet issues and excessive annual leave
- procurement related including purchase orders approved after invoice date.
The table below shows the levels of risk on the findings by university for 2023, and how many of the findings were repeat issues.
Internal control findings 2023 | ||||
University | High | Moderate | Low | Repeat |
Charles Sturt University | -- | -- | 2 | -- |
Macquarie University | -- | 8 | 8 | 2 |
Southern Cross University | -- | 7 | 2 | 3 |
University of New England | 1 | 9 | 4 | 3 |
University of New South Wales | -- | 8 | 8 | 8 |
University of Newcastle | -- | 5 | 5 | 3 |
The University of Sydney | -- | 3 | 4 | 4 |
University of Technology Sydney | -- | 12 | 6 | -- |
University of Wollongong | -- | 8 | 5 | 6 |
Western Sydney University | -- | 2 | 4 | 4 |
Total | 1 | 62 | 48 | 32 |
Note: The number of repeat findings is included within the other columns.
Source: Management letters issued by the Audit Office for the parent universities.
Thirty-two repeat findings were reported in 2023
There were 32 repeat findings (41 in 2022) identified in 2023. Repeat findings arise when the university has not implemented recommendations from previous audits. A majority of the repeat findings related to user access, privileged user review, outdated policies and procedures, payroll and procurement processing improvements. Until rectified, the vulnerabilities those control deficiencies present can be significant.
Universities have agreed to prepare implementation plans to address these repeat issues.
RecommendationUniversities should ensure repeat findings on internal control deficiencies are addressed in a timely manner, particularly those that have been repeat findings for a number of years. |
The graph below shows the spread of repeat findings by area of focus and risk rating.
Source: Management letters issued by the Audit Office for the parent universities.
3.2 Governance arrangements
Governance in the context of universities refers to the structures, processes, systems and mechanisms by which universities are held to account when they make decisions. This section outlines our audit observations, conclusions and recommendations from our review of governance frameworks and practices.
Governing authorities
Each university is established under its own Act of Parliament. The enabling legislation stipulates a Council or Senate as the governing authority, responsible for but not limited to, monitoring and overseeing performance, academic activities and the overall strategic direction of the University. Part Four, Division One of the respective enabling legislations of each University establishes the functions of the Council or Senate.
All ten universities have governing authorities and board charters
All ten universities have a council or senate as their main governing authority, all of which operate within the framework of a charter or terms of reference. The charter and or terms of reference clearly state the responsibilities of the governing authorities’ members.
A governing authority charter or terms of reference is an important policy document that describes the objectives and governance functions of the governing authority, including how it interacts with management. The charter is essential to ensuring effective operation of the governing authority and should incorporate a requirement whereby the governing authorities’ performance is periodically evaluated.
Periodic review of the performance of governing authorities varies amongst universities
Part four, division one of the universities’ enabling legislation requires the governing authority to regularly review its own performance. Additionally, the Higher Education Standards Framework (Threshold Standards) 2021 (HESF), requires each provider to undertake periodic independent reviews of the effectiveness of the governing body at least every seven years.
The University Chancellors Council ‘Voluntary Code of Best Practice for the Governance of Australian Public Universities’ also outlines ‘at least once every two years’ as a minimum for assessing the performance of the governing body and its members.
As part of our review, we observed:
- universities have differing interpretations of what constitutes a regular review of the governing authorities. The review period ranges from annually to every seven years
- 2 universities had not undertaken a review of their governing authorities’ performance since 2021
- 2 universities charters did not specify a frequency for performance reviews
- 2 universities did not undertake a review in the specified timeframe outlined in their charter, citing COVID-19, resource constraints and changes to members of the governing authority
- 1 university conducted performance reviews of their governing authority through an in-house assessment, seven outsourced this review and two confirmed both an in-house and external assessment was performed.
For those universities who more recently assessed the performance of the governing body and its members, findings and recommendations included:
- enhancing the format and information included in council or senate papers
- more regular reporting on indigenous strategies
- more regular and formal reporting on complaints and misconduct
- enhancing diversity of the membership including stronger educational understanding and skills on Council
- setting limits on terms of office for external members
- improving the transparency of management and communication of key issues.
Evaluating the performance of universities’ council or senate and their members is key to ensuring an effective governance function. The strategic direction of universities is not static, but changes over time. Timely performance reviews ensure that the members’ competencies and experience align with the current needs of the university.
Organisational structures and capability frameworks
Organisational structures provide a framework on how a university is organised to achieve its objectives. The structure defines the hierarchy of staff and their roles and responsibilities within the overall structure. At a granular level, staff capability frameworks outline the responsibilities of individual roles.
Regular reporting of key personnel gaps to those charged with governance is needed
All universities have an organisational structure that is current and reflects positions of key personnel. The organisational structure of two universities did not highlight gaps in key personnel and three universities did not regularly report these gaps to those charged with governance.
Periodic reporting of known gaps in key personnel to those charged with governance is essential to ensuring key decision-makers are able to address critical gaps.
Our review of the ten NSW universities also identified:
Number of NSW universities | |
8 | have implemented a staff capability or equivalent framework that outlines employee roles and responsibilities |
10 | have developed an organisational structure |
2 | of the organisational structures did not outline known gaps in key personnel, such as vacancies |
3 | do not regularly report key gaps in personnel to those charged with governance. |
Source: Audit Office analysis.
Code of ethics and conduct
Seven universities do not require staff to annually attest to the code of conduct
All ten universities have established a code of conduct (the Code) to provide clear guidelines and rules to staff and to set the ethical, integrity and professional standards within the university. All but two universities required staff to acknowledge they understand the requirements of the Code upon commencement of employment.
Code of ethics and conduct sets the standard behaviour required for all staff, including both professional and personal conduct. Annual attestations help ensure that staff remain accountable, uphold organisational values and act in the best interests of the organisation.
Our review of the ten NSW universities also identified:
Number of NSW universities | |
7 | did not require ongoing annual reviews and confirmation of adherence to the code |
2 | did not require staff to acknowledge they understand the code upon commencement of employment |
1 | did not review the code by the specified review date |
1 | did not include key terms such as gifts and benefits, engaging with lobbyists, behaviour contrary to the code |
1 | did not ensure their code extends to contractors or third-party vendors. |
Source: Audit Office analysis.
RecommendationUniversities should ensure:
|
Conflicts of interest
A conflict of interest is defined by the NSW Independent Commission Against Corruption as a:
‘… conventional expression that usually refers to circumstances in which someone’s personal interests may conflict with their public duty. A conflict of interest exists when a reasonable person might perceive that a public official’s personal interest(s) could be favoured over their public duties.’ |
Identifying, disclosing, managing, and monitoring conflicts of interest is essential to ensuring sound governance. Schedule 2A of the universities’ enabling legislation requires all material interests of Council or Senate members be declared and disclosed.
Our review of all ten NSW universities identified:
Number of NSW universities | |
10 | maintained a conflict of interest policy and or framework |
4 | did not maintain a centralised conflict of interest register for all employees |
3 | did not have a requirement to update the register at least annually for all employees |
2 | did not refer to the register when engaging with suppliers/vendors. |
Source: Audit Office analysis (unaudited).
Conflict of interest registers are not being consistently maintained or used
NSW universities are not consistently maintaining or using conflicts of interest registers. We observed that whilst all universities capture and record material interests relating to council or senate members, for some universities this process does not extend to all university staff. Four universities are not capturing and recording all staff related conflicts of interest within a centralised register.
Two universities confirmed they did not refer to their conflict of interest register when engaging in procurement activity to ensure transactions are at arm’s length.
Centralised conflict of interest registers allows for transparency and provides a single source of information that can be consistently analysed against relevant policies and or frameworks. Conflict of interest registers should be consulted when engaging with new or existing suppliers, ensuring that conflicts of interest risks are appropriately addressed, and decisions for the procurement of goods and services are at arm’s length.
RecommendationUniversities should maintain a centralised conflict of interest register for all staff. Registers should be updated when conflicts are identified and on an annual basis. Conflict of interest registers should be referred to during procurement activity to ensure that any perceived or actual conflicts of interest risk are identified and appropriately addressed. |
Risk management
Effective risk management is an essential part of good corporate governance. It helps universities to identify, assess and prioritise risks and in turn minimise, monitor and control the impact of unforeseen events. Effective management of risks allows for universities to also better respond to opportunities that may emerge and improve their services and activities.
The Treasury Policy Paper TPP 20-08 Internal Audit and Risk Management Policy for the General Government Sector (TPP 20-08) is a mandatory policy for NSW government agencies. While the principles are not mandatory for universities it is useful as a guide for better practice more generally. The Treasury policy outlines minimum standards for risk management, internal audit and audit and risk committees. The policy's core requirements are founded on Australian Standard AS ISO 31000: 2018 Risk Management Guidelines.
Risk management policies, registers and frameworks
A mature risk environment requires strategic and operational risks to be formally documented including a risk policy and risk appetite statement; regular robust risk assessments clearly outlining ownership of risks and mitigating actions, timeframes, and accountabilities; ensuring controls adequately address risk. Management of risk should include mechanisms to escalate risks, and action plans to mitigate risks with effective internal controls.
All universities have developed risk management frameworks, policies, appetite statements and registers
Our review of universities’ risk management frameworks noted all have implemented risk management frameworks including policies, appetite statements and registers. Three universities did not review their risk management policy by the scheduled review date.
Risk management policies and frameworks are critical to supporting universities in their engagement with and mitigation of risk. A strong framework enables universities to identify and assess key risks and enable decision makers to respond to these risks in an appropriate and timely manner. Additionally, risk appetite statements provide a formal expression of a university’s tolerance when dealing with risk and can lead to improved decision making, better prioritising of risk and ensuring risk management is aligned with their objectives.
All universities maintain risk registers that link to their strategic plan, however some deficiencies were identified
Our review found of the ten NSW Universities’ risk registers identified:
Number of NSW universities | |
9 | assigned responsibilities for each risk |
9 | defined risk events |
8 | outlined whether the risks were acceptable |
8 | contained timelines for implementation of a mitigation strategy |
8 | considered climate related risks |
3 | did not capture emerging risks |
3 | did not document the effectiveness of existing mitigating controls |
3 | did not assign responsibility for implementing further mitigating strategies. |
Risk registers are a vital tool for universities to track their key risks and to plan how to adequately address the risks to acceptable levels over time.
All universities provided formal or informal risk management training in 2023
All universities provided varying degrees of formal or informal risk management and awareness training for staff in 2023. In some instances, the training was limited to executive leadership teams and not mandatory for all staff.
Staff should be appropriately equipped with the skills and knowledge to identify, report and respond to risks. A key aspect of embedding a risk management culture into an organisation is staff capability. This refers to the knowledge, skills and abilities that public sector employees must demonstrate to perform their roles effectively. Building risk capability is a key management function.
Most universities are performing risk maturity assessments
Most universities are performing a risk maturity assessment on a regular basis. Nine universities that performed the assessment have advised they have developed action plans to address identified gaps. University of Wollongong is currently in the process of undertaking their risk maturity assessment.
A mature risk environment requires the risk architecture including the principles, framework and processes to be formally documented. Management should perform regular risk maturity assessments to help identify specific areas to improve risk culture and overall risk capability. Regular assessments will allow for universities to compare and review results over time, providing more meaning risk analysis.
Our review also noted:
Number of NSW universities | |
10 | have an established risk management policy, register and appetite statement |
10 | provide risk reports to the accountable/governing authority |
10 | have considered exploring opportunities as part of risk management |
1 | has not completed a risk maturity assessment |
5 | had internal audit assess the effectiveness of the risk management framework |
9 | risk appetite statement had quantitative measurable risks tolerance levels. |
Source: Audit Office analysis.
RecommendationAll universities should ensure:
|
Commonly reported risks across the university sector
The following diagram outlines the top three risks commonly identified by the NSW university sector:
Source: Agencies’ enterprise risk registers (unaudited).
Financial sustainability, cyber and information technology and workforce related risks were the most common risks recognised by NSW universities. One university recognised climate and environmental risks within their top three risks.
Cyber security forms part of the top three risks of most universities. Due to the increasing prevalence of this risk, a separate chapter has been dedicated in this report to focus deeper on the general cyber risk environment for universities. It analyses how universities have assessed cyber risk, what frameworks are used to implement controls over those risks, and the extent to which these controls are implemented. Refer to Chapter 5 Cyber Security in this report.
Internal audit function
The Institute of Internal Auditors (IIA) defines internal auditing as;
‘…an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.’ |
All NSW universities operate an internal audit function as outlined in TPP 20-08 Internal Audit and Risk Management Policy, which is used as best practice guidelines within the university sector. The policy outlines the internal audit function is to provide timely and useful information to management on:
- the adequacy of and compliance with the system of internal control
- whether agency results are consistent with established objectives
- whether operations or programs are being carried out as planned.
All universities have established an internal audit function and internal audit plans that have been endorsed by their respective audit and risk committee (ARC). Internal audit functions are generally performed via a combination of internal staff and external service providers. Two universities have a fully operational in-house internal audit function. The remaining universities outsource the function or have a combined approach, see details below:
Source: Audit Office analysis.
Forty per cent of internal audit functions have not been independently evaluated
Four universities’ internal audit functions were not subject to an external evaluation in the last five years. Whilst not mandatory for NSW Universities, TPP 20-08 requires agencies should ensure an external assessment of the internal audit function is conducted by a qualified, independent assessor selected in consultation with the audit and risk committee at least once every five years.
Ninety-nine internal audit recommendations are greater than 12 months old
Eight universities collectively had 99 internal audit recommendations that have taken more than 12 months to address.
Timely implementation of long tail recommendations is dependent on the complexity of the recommendations. Management at the respective universities have advised delays in addressing these recommendations is mainly due to:
- time taken to procure and or implement new systems or applications that are designed to address the risks
- original recommendations/actions often become a part of an enterprise-wide delivery program that are delivered on a larger scale in and often in a staged approach.
Six universities did not complete internal audits of their controlled entities in 2022 and 2023
There are 78 controlled entities incorporated in Australia or overseas that are controlled by NSW universities, with most of these entities (nearly 85%) being operational. Six universities did not complete internal audits of their controlled entities in 2022 and 2023. There were only four universities that incorporated their controlled entities into their internal audit plans for both 2022 and 2023.
Controlled entities may operate in different jurisdictions and in some instances can be subject to less formalised oversight and governance compared to the parent entities. Universities should consider the need for incorporating controlled entities on a risk basis into their respective internal audit plans.
RecommendationUniversities should ensure:
|
Audit and risk committees
The universities enabling legislation outlines the functions of the governing authority is to oversee risk management and risk assessments across the university. Governing authorities have established an Audit and Risk Committee (ARC) to assist in overseeing risk management, internal controls, governance processes and regulatory compliance.
Treasury policy TPP 20-08 Internal Audit and Risk Management Policy defines an ARC as a committee established to 'monitor, review and provide advice and guidance about the agency's governance processes, risk management and internal control frameworks and external accountability obligations.’ This policy is used as better practice for NSW universities.
All universities have established an audit and risk committee and charter
All ten universities have established an ARC, whose responsibilities and governance is underpinned by a charter or terms of reference. The majority of NSW universities reported holding ARC meetings on average five times during the year.
The ARC charter should, at a minimum include objectives of committee, authority of the committee, composition, tenure and reporting lines. Best practice guidelines outline that for the ARC to effectively perform its role, meetings should be held at least quarterly. This is also dependent on the size and complexity of the agency.
Most universities reviewed their ARC charter in the last 12 months
TPP 20-08 requires committee charters to be reviewed at least annually and the review should be performed in consultation with the appropriate accountable authority. Southern Cross University did not review their charter in 2023 however has since completed a review in April 2024.
The policy outlines the importance of periodic reviews to ensure ongoing relevance and the charter is sufficiently detailed to ensure there is no ambiguity on roles and responsibilities.
4. Teaching and enrolments
Universities' primary objectives are the functions of teaching and research. They invest most of their resources aiming to achieve quality outcomes in academia and student experience. Universities have committed to achieving certain government targets and compete to advance their reputation and their standing in international and Australian rankings.
This chapter outlines teaching and enrolment outcomes for universities in NSW for 2023.
Section highlights
|
4.1 Teaching outcomes
Graduate employment rates
Some universities did not meet national averages for full-time employment rates
Universities assess the employment outcomes of their graduates by using published data from surveys conducted by the Australian Department of Education's agents. The survey timeframe for employment outcomes is approximately four to six months after completion of studies.
Graduate employment outcomes vary across universities. According to the 2023 independent survey, six of ten NSW universities exceeded the national average of 79.4% for full-time employment rates of their domestic undergraduates. Six universities performed better than the national average of 90% for full-time employment outcomes of their domestic postgraduates.
The survey results indicate that in the short-term postgraduates are more likely to be employed full-time compared to those who completed an undergraduate qualification. These results reflect that postgraduates are more likely to be well established in the workforce prior to undertaking their postgraduate studies.
The graph below presents the results of the 2023 survey by university.
Source: Quality Indicators for Learning and Teaching 'Graduate Outcomes Survey National Report 2023’ published May 2024, funded by the Australian Department of Education.
Overseas student graduates’ employment rates continued to be consistently lower than those for domestic graduates. However, the 2023 survey showed average employment rates have improved since 2022 due to the strong recovery of the Australian labour market.
The national survey data notes that overseas graduates are considerably more likely than domestic graduates to undertake further full-time study. The 2023 data indicates that four to six months after course completion, 25.9% of international undergraduates were enrolled in further full-time studies, compared to 17.6% of undergraduate domestic students. Electing to undertake further study can contribute to the lower rates of labour force participation and employment outcomes for overseas graduates.
Student enrolments by field of education
Enrolments at universities improved the most in Health, IT and Engineering in 2023
Overall enrolments increased by 4,247 full-time equivalent (FTE) students in 2023 from approximately 279,277 FTE to 283,524 FTE students. This is a significant improvement when compared to the 12,000 FTE student enrolment decrease experienced last year. The largest increases in student enrolments at universities in NSW in 2023 were in:
- Information Technology, Engineering and Related Technologies courses, with approximately 4,708 more enrolments compared to 2022 (11% increase)
- Health related courses, with approximately 2,144 more enrolments compared to 2022 (five per cent increase).
The upward trend in enrolments reflect both Commonwealth and State government initiatives to address skill shortages, particularly in areas of national priority such as Health. The ‘Australian Universities Accord Report’ also recently highlighted skills shortages in areas such as Health.
The largest decreases in student enrolments at universities in NSW in 2023 continued to be seen in:
- Society and Culture courses, with approximately 2,921 fewer enrolments compared to 2022 (four per cent decrease)
- Science related courses, with approximately 534 fewer enrolments compared to 2023 (one per cent decrease).
The graph below shows the movement in student enrolments by field of education between 2022 and 2023.
Note: EFTSL is Equivalent Full-Time Student Load.
Source: Student numbers are provided by universities (unaudited).
Modes of learning
Face to face course delivery remains the most common mode of learning
On average, face to face delivery of courses remains the most common mode of learning across NSW universities. In 2023, approximately 52% of courses were exclusively delivered face to face compared to 45% in 2022.
Universities are delivering courses via online learning, face-to-face or a hybrid approach of online and face-to-face learning. On average, universities delivered:
- 20% of their courses primarily online (21% in 2022)
- 52% of their courses primarily face-to-face (45% in 2022)
- 28% of their courses both online and face-to-face (34% in 2022).
Source: Modes of Learning percentages provided by universities (unaudited).
Face to face course delivery is more prevalent for metropolitan universities
The high levels of online learning in 2021 was due to COVID-19 restrictions resulting in universities shifting their course delivery from being predominantly face-to-face to online. In 2021, four metropolitan universities delivered most of their courses primarily through online methods. This shifted in 2022 when COVID-19 restrictions eased and reduced further in 2023 with metropolitan universities delivering on average eight per cent of their courses online (11% in 2022). Most courses were delivered face to face.
Online course delivery is more prevalent for non-metropolitan universities
Most of the non-metropolitan universities delivered on average 32% of their courses digitally (32% in 2022). When comparing to pre-COVID-19 levels, non-metropolitan universities have increased the extent of courses being delivered online.
Universities use a combination of both internally and externally managed learning platforms, with internally managed platforms supported by third party software. Thirty per cent of universities manage their own online platform or application, with the remainder outsourcing.
All universities have performed evaluations on the quality and effectiveness of their online service delivery over the last 12 months, some of which include student experience surveys and reviews of online content against externally published quality standards. Much of this is done as part of general course evaluation procedures.
Additionally, all universities confirmed they have evaluated their digital learning platforms as part of their cyber security assessments.
Students from low SES backgrounds
In 2009, the Australian Government set a target for 20% of university undergraduate enrolments to be students from low socio-economic status (SES) backgrounds by 2020. The Australian Universities Accord report released in February 2024, confirmed this target was not met in part because of higher-than-expected growth in the total undergraduate population in Australia.
Enrolment statistics for 2023 are not expected to be available from the Australian Department of Education until late 2024 and the following analysis is based on 2022 published data.
Five universities reported that they enrolled more students from low SES backgrounds than the target
The 2022 results for universities in NSW showed five universities achieved enrolments of more than 20% of domestic undergraduate students from low SES backgrounds. These were the same five universities who achieved the 20% target in 2020 and 2021. Western Sydney University was the only metropolitan university to achieve this target.
Universities in NSW reported a decline in the total number of low SES domestic undergraduate student enrolments, from 40,521 in 2021 to 35,110 in 2022. Overall, domestic undergraduate student enrolments (headcount) in NSW decreased by 3.5% in the same period from 230,379 in 2021 to 222,305 in 2022.
Universities can continue to improve outcomes for these students by consistently setting internal targets, tracking achievement against those targets, implementing policies to increase enrolments and supporting students to graduation.
Reported enrolments of domestic undergraduate students from low SES backgrounds in 2022 for universities as a percentage of total domestic undergraduate students is shown in the graph below.
Source: Australian Department of Education 2022, Section 11: Equity groups.
Enrolment of Aboriginal and Torres Strait Islander students
In March 2017, Australian universities committed to achieving growth rates for enrolments of Aboriginal and Torres Strait Islander students to exceed the growth rate of enrolments of other domestic students by at least 50%. This was the first whole-of-sector strategy to support the advancement of Aboriginal and Torres Strait Islander people in and through Australia’s universities. In March 2022, Universities Australia published their Indigenous Strategy 2022-25, reflecting the sector’s continued commitment to improving completion rates.
Aboriginal students are defined as ‘students who identify as being of the First Nations peoples of the land and waters now called Australia and includes Aboriginal and Torres Strait Islander peoples’.
The 2022 results for universities in NSW showed only University of Technology Sydney (UTS) achieved the 2017–20 target growth rate for students enrolled from Aboriginal backgrounds, compared to seven universities in 2021.
Overall enrolments of Aboriginal students in 2022 have declined
Apart from one metropolitan based university (UTS), all other NSW universities reported a decline in the overall number of Aboriginal student enrolments. In 2022 overall enrolments of Aboriginal students declined by 190 students, taking the total number in 2022 to 7,397 (7,587 in 2021). This represents a decline of 2.5% since 2021. Overall, non-Aboriginal student enrolments in NSW also decreased by 3.9% in the same period, from 308,748 in 2021 to 296,553 in 2022. Consequently, the target growth rate for enrolments of Aboriginal and Torres Strait Islander students could not be achieved in 2022.
Whilst most of the regional universities have higher levels of Aboriginal student enrolments as a percentage of domestic students, they also experienced the largest decline in total Aboriginal students enrolled in 2022.
The Aboriginal students enrolled in 2022 by university is shown below, together with the change in Aboriginal students enrolled since 2021.
Source: Australian Department of Education, Student Data 2022, Section 11: Equity groups. Table 11.5 All domestic students by State.
The following graph shows Aboriginal students in 2022 as a percentage of total domestic students at each university.
Source: Australian Department of Education, Student Data 2022, Section 11: Equity groups.
Australian Universities Accord Report 2024
The 2024 Department of Education’s ‘Australian Universities Accord Final Report’ (the Review) examined Australia’s higher education system. The Review made 47 recommendations to assist with creating a long-term reform plan for the higher education sector with the goal of meeting Australia’s future skill needs.
The review highlighted concerns around skill shortages combined with declining completions rates and there is a need for reform sector wide. The report also underscores the critical need for collaboration among universities, government, and industry to address challenges facing the higher education sector effectively.
The review also outlined the need:
- for equitable higher education system, ensuring growth for skills through greater equality
- to set and meet more ambitious enrolment and equity targets, especially for those cohorts of underrepresented groups
- to adopt flexible learning models to meet diverse student needs while maintaining academic standards
- for the critical role of universities in driving and enhancing research and innovation
- for adapting to new technologies and embracing flexible learning models
- for transparency and accountability in how funds are allocated, ensuring that resources are effectively utilised to enhance the quality and accessibility of education for all students.
5. Cyber security
This chapter of the report focuses on the cyber risk environment for universities, how universities have assessed that risk, what frameworks they use to strategically identify controls that respond to those risks, and the extent to which they have implemented or have plans to implement those controls. We also address some specific controls in respect of cyber resilience.
Section highlights
|
5.1 Background
Our focus on cyber security
Our audit focus on cyber security, as explained in our Annual Work Program 2023–26, aims to provide insights into how universities are responding to the risks associated with cyber security in our financial audits across New South Wales.
Our financial audits consider cyber security planning and governance, and the potential for cyber incidents to cause a material impact on the financial statements we audit. We also consider specific topics or themes on a sector-wide basis as part of our financial audits.
Source: Annual Work Program 2023-26 | Audit Office of New South Wales (nsw.gov.au).
Our previous reports have covered cyber security on large entities in the NSW state government as part of our Internal controls and governance 2023 report, and specific agencies such as the Managing cyber risks in Transport for NSW and Sydney Trains. We have also recently tabled a performance audit report into Cyber security in local government. Each report has highlighted cyber security insights in the context of their sector and operations. While the university sector has its own context, there are still some themes and insights that apply across contexts and sectors.
Reported cyber security incidents in education sector
Australian Signals Directorate (ASD) note in their ASD Cyber Threat Report 2022–23 that 6.7% of reported cyber security incidents were in the educational and training sector, the fourth most targeted sector.
Source: ASD Cyber Threat Report 2022–23.
Cyber security risks in the university sector
Common specific cyber risks for universities include the personal and private information they hold and share, and the research data and similar information they work with, including in areas of critical infrastructure.
All ten universities work with and share information with local, state, commonwealth and foreign governments. The relationships with these government agencies take various forms including teaching, research, consultancy, and other types of partnerships, as well as cooperation with regulatory requirements.
All ten universities rely on their faculties and divisions to identify the contractual security requirements when working with other organisations, primarily as part of the establishment of new partnerships. Contractual agreements and legislation drive the security requirements for those partnerships, and universities evaluate those agreements within their commercial, legal and research offices.
Data being shared through government relationship includes payroll and employee related data, student enrolment data, and various types of research data. Some of the data is classified for national security purposes under the Australian Government Protective Security Policy Framework.
The Security of Critical Infrastructure Act 2018 (SOCI) was amended in 2022 to include the Higher Education and Research sector. This Act places obligations on universities to (among others) identify functions, systems and data which meet the definition of a critical education asset, and to notify the Commonwealth Government when cyber security incidents occur in relation to these assets.
Critical Infrastructure assets are attractive targets for malicious cyber activity due to their connection with essential services, including national defence (source: ASD Cyber Threat Report 2022–23).
None of the ten universities have identified relevant functions, systems or data that meet the SOCI criteria
It is not clear that the inclusion of higher education in the legislation has led to a change in how universities operate or report. While universities work with critical infrastructure entities such as defence, health, transport, utilities, and telecommunications, all ten universities advised that no critical assets have been identified as defined in the SOCI legislation.
The actual processes to identify and evaluate these SOCI requirements varied across the universities. Capability varied from proactive and regular evaluations to reactive responses. Proactive evaluation of SOCI requirement is performed during contract creation, and in some universities, it also is performed periodically by the cyber security team and/or the critical infrastructure working group. Example of reactive response is when universities respond to information raised by individuals, researchers, or internal audit over potential SOCI compliance requirements.
In an environment of changing cyber security risks, evolving cyber security practices, and the potential for researchers to engage in new fields involving critical infrastructure entities, universities need processes to identify any emerging critical education assets that need to be managed in accordance with the SOCI Act.
RecommendationUniversities should ensure proactive processes exist across all faculties and divisions to identify, monitor and comply with the requirements of the Security of Critical Infrastructure Act 2018. |
5.2 Identifying and responding to cyber security risk
We reviewed the universities risk assessments for cyber security. This section of the report describes how universities identified their cyber security risks and assessed how those risks apply to their IT environment. Ineffective identification of cyber security risks can leave universities vulnerable to unknown risks. This can result in disruption of services, loss of reputation and loss and damage both to the university and its stakeholders.
Risk management process
The early steps in risk management are comprehensively exploring and identifying potential risks. Once risks are identified, they are evaluated and managed through implementation of mitigating controls. Any residual risk should be then managed and monitored.
All ten universities follow AS/NZS ISO 31000:2018 Risk Management – Principles and Guidelines. This standard describes a process of:
- identifying risks based on the external environment and factors specific to the entity
- assessing the severity of the risks based on the likelihood and impact should they occur
- determining a risk appetite for the entity; the severity of risks they can accept
- responding to risks outside appetite, typically by treating them to reduce the likelihood or impact to bring them within appetite.
Chief Information Security Officers participate in the identification of the cyber security risks through activities such as:
- workshops from stakeholders
- gap assessments against industry frameworks and benchmarks
- internal and external audit findings
- cyber security threat intelligence
- internal monitoring and vulnerability testing.
All ten universities identified cyber security risks, and controls over those risks, as part of their risk management process, recording between one and 43 risks arising from cyber security.
One university has recorded some detail but has not identified or documented what specific controls they have over the risks, or who performs the controls.
Seventy per cent of universities have cyber security risks above their risk appetite
Residual risks at the ten universities were rated between moderate and critical after considering the effectiveness of controls. All ten universities have defined a risk appetite statement for the risks arising from cyber security. Though senior management have defined the risk appetite as being the amount and type of risk they were willing to accept, 70% (seven of the ten) of the universities have evaluated that cyber security risks are above their risk appetite. One other university had not completed their cyber security risk assessment and evaluated it against their risk appetite.
Risks outside appetite mean that the universities see their cyber risk as being at an unacceptable level, putting their organisational objectives at risk.
Only two of those seven universities have formally accepted the risks that are outside their risk appetite, with formal approval from the executive level. The remaining five universities had their audit and risk committees informed of the level of risk and the progress on planned measures to reduce the level of risk.
It is not uncommon for risk to be assessed as outside appetite in organisations with mature and robust risk management frameworks, particularly in relation to novel or fast-moving threats and risk vectors. Clear and realistic evaluation of risks and control effectiveness is an essential element of good governance, and allows for well informed decisions over cyber security improvement investment priorities. However, it is important that risks are not permitted to remain outside appetite for longer than absolutely necessary.
Some of the universities that have not identified risks outside of their appetite do not demonstrate the same level of detail in their assessments, and therefore their assessments appear less robust and more prone to inaccuracy.
RecommendationConsistent with their individual risk management frameworks or acceptance criteria, universities should identify and manage risks that exceed their risk appetite. |
Assessment of cyber security maturity
Universities are not mandated to apply a specific cyber security framework, unlike federal and state government agencies. All ten universities have now adopted the use of at least one cyber security framework with most using more than one framework.
The most common framework used is NIST CSF (National Institute of Standards and Technology - Cybersecurity Framework), This framework was developed and is maintained by United States Department of Commerce, and is broadly applicable and widely used across many industries and in many countries. Nine universities use this framework to some extent.
The second most common is the Essential 8 framework from the ACSC (Australian Signals Directorate - Essential Eight). While this is far more limited in its scope, it is also widely used among some sectors, particularly commonwealth and state government sectors, and sets a minimum baseline to address the most commonly seen cyber attacks. Eight universities use or refer to this framework.
Other frameworks referenced include ISO27001, and the Commonwealth Government Information Security Manual.
Source: Audit Office analysis.
The chart above shows the journey of cyber security frameworks adoption by universities from 2021 to 2023. From the charts we could see:
- In 2021, one of the ten universities had not adopted any framework. In 2023, all ten universities have adopted a framework.
- The adoption of either ACSC E8 or the NIST Framework are continuously increasing from 2021 to 2023. In 2023, 70% (seven of ten universities) have used both frameworks as their main guidelines.
- NIST framework is the most common framework used by universities. Nine of the ten universities have adopted this framework.
Both the NIST CSF and the Essential 8 frameworks are supported by maturity models – a tiered measurement tool that shows the relative effectiveness of security controls within an organisation. These tools provide:
- a quantitative measure of cyber security across organisations in similar environments
- a useful and standardised method for identifying gaps in an organisation’s cyber security practices, and
- guidance on the required improvement areas to reach the next tier of maturity.
Nine of the universities assessed their current practices against one or more of these maturity models, and have used this assessment to guide their direction. Six universities engaged external parties to perform the assessment while the other two universities used internal resources for the review.
One university did not assess their current cyber security maturity
One of the ten universities did not assess its current cyber security maturity and capability in 2023.
RecommendationAll universities should track and annually assess their cyber security maturity. |
Cyber security uplift programs
Cyber security uplift programs aim to improve cyber resilience, identify and reduce vulnerabilities and assess security risks across the university. These cyber security uplift programs are of increasing importance as the frequency and sophistication of cyber security attacks continues to grow. The development of these programs also utilises the evaluation of current cyber security practices, assessment of maturity against established cyber security frameworks, setting target maturity levels and defining plans to reach those targets.
Four universities did not have a formal cyber security uplift program
Two universities had neither defined a target state for cyber security capability, nor had a cyber security uplift program during 2023. A further two universities did have maturity targets but did not have a program in place.
These four universities are developing or obtaining approval for their cyber security uplift programs to run from 2024.
One university did not have a specific budget for cyber security
Nine of the ten universities allocated between $900,000 to $12.4 million on cyber security for 2023. This equated to 0.15% to 0.42% of total operating expenditure. The allocated budget included both operating expenditure and, where they existed, funding for the uplift program.
One university did not have a specific budget for cyber security.
Eight universities have set annual targets to meet their cyber security maturity targets. The two universities that do not have annual targets are still developing their uplift programs. Current and forward cyber security uplift programs to achieve their target had the following target timeframes:
- 4 universities with programs to achieve their target state by the end of 2024
- 4 universities with programs with a target state by end of 2026. However, one of them has not defined their year-on-year target
- 1 university with a program to achieve their target state by 2027, but is yet to define their year-on-year target
- 1 university with a program to achieve their target state by 2030
- 1 university considers their forward program as ongoing with no target timeframe
- 1 university is still developing their program and has not defined their timeframe.
RecommendationAll universities should develop, monitor, and re-evaluate their cyber security uplift programs as they progressively achieve their targets. |
The table below shows whether universities:
- have cyber residual risk beyond their risk appetite
- know their current maturity based on formal assessment
- have defined a formal cyber uplift program; and
- have allocated funding to support their cyber uplift program.
Alias (not in order) | Cyber security residual risks are within risk appetite | Cyber uplift program defined | Specific Cyber uplift funding for 2023 | Maturity assessment performed |
University #1 | University did not meet the criteria | University did not meet the criteria | University did not meet the criteria | University meets the criteria |
University #2 | University did not meet the criteria | University did not meet the criteria | University meets the criteria | University meets the criteria |
University #3 | University did not meet the criteria | University did not meet the criteria | University meets the criteria | University meets the criteria |
University #4 | University did not meet the criteria | University meets the criteria | University meets the criteria | University meets the criteria |
University #5 | University did not meet the criteria | University meets the criteria | University meets the criteria | University meets the criteria |
University #6 | University did not meet the criteria | University meets the criteria | University meets the criteria | University meets the criteria |
University #7 | University did not meet the criteria | University meets the criteria | University meets the criteria | University meets the criteria |
University #8 | University meets the criteria | University did not meet the criteria | University meets the criteria | University meets the criteria |
University #9 | University meets the criteria | University meets the criteria | University meets the criteria | University did not meet the criteria |
University #10 | University meets the criteria | University meets the criteria | University meets the criteria | University meets the criteria |
Source: Audit Office analysis.
We note the following key highlights:
- 3 of the seven universities with residual risks beyond the risk appetite have not defined their uplift program, and therefore do not have a plan to address this gap. One of these three has also not allocated any specific funding for improving its cyber security in 2023.
- 4 of the seven universities with residual risks beyond their risk appetite have performed their maturity assessment, defined an uplift program, and allocated specific funding which demonstrates a more proactive approach to managing their cyber security risks.
- 1 university has not performed a maturity assessment to understand if their cyber security residual risk is within their risk appetite.
5.3 Cyber resilience
No matter how effective an organisation’s protective measures are, there is always a possibility that a skilful and persistent attacker will compromise systems and data. How organisations recognise when they have been compromised, and how they respond to that, is the subject of an organisation’s Cyber Incident Response Plan.
Failing to recognise a cyber incident or to respond appropriately can lead to significant disruption and cost to an organisation and its stakeholders, including other organisations that share system access or data.
Detecting cyber incidents
All ten universities have implemented systems to detect cyber security incidents. These monitoring systems record and log security events captured from various points across the network such as firewalls and servers, and allow analysis of the data to recognise when a compromise or other cyber incident may be occurring.
This logging and analysis is extensive and system-driven for some (larger) universities, but for others rely on more manual intervention, while others use a third party security services provider to conduct this.
Seven universities have identified limitations in their ability to identify cyber security events
The coverage of cyber security monitoring varied between the universities. Seven universities have identified that whilst they have implemented a process to identify/monitor cyber security incidents, it does not cover all their systems. This limitation is mainly due to legacy systems where integration with the event monitoring system is not visible, and/or due to decentralised management of systems so that the event monitoring system does not cover the systems managed by faculties or subsidiaries.
RecommendationUniversities should ensure cyber security event monitoring and coverage extends across systems, functions, and operations. |
All ten universities report to senior management on significant issues, incidents, and insights from their cyber security operations. Eight universities also include cyber security incident trends in the regular report while the other two only include it when they believe there are significant trends to be reported to senior management.
The volume of incidents is not comparable between each university due to variations in what they regard as a cyber incident, and the different scopes and capabilities in monitoring and identifying incidents when they take place. The volume of incidents ranged from a minimum of two solitary incidents identified by one university over the full year, to a maximum of 300 incidents identified and responded to by another university.
Cyber Incident Response Plans
All ten universities have a cyber incident response plan that was approved and updated within the past two years. The plans all covered the required steps to detect and respond to incidents.
Three universities had not developed playbooks to support their cyber incident response plans
Thirty per cent of universities have not developed and finalised their supporting playbooks (instructions for certain and predefined cyber security scenarios). One was in draft, one stated that they were planning to develop theirs in 2024, and the third said they were aiming to develop theirs in 2025–26. The other seven universities have developed playbooks for multiple scenarios.
RecommendationUniversities should develop and finalise multiple playbooks to formalise and streamline responses to common and frequent cyber security incidents. |
Our review of the cyber incident response plans against the ACSC CIRP indicated a reasonable scope and customisation of their plans. Two universities have not included their vendors into their cyber incident response plans, but reliance was placed on vendor contracts to manage third party risks.
Testing Cyber Incident Response Plans
All ten universities tested their cyber incident response plans during 2023. Nine universities performed a tabletop test, where discussions occur on a set of scenarios and key stakeholders talk through their plan and responses. One university performed a functional test, with interactive exercises, a test IT environment and required outputs for analysis and communications.
One university had not formally documented the learnings from testing their Cyber Incident Response Plan
All universities advised that they identified learnings from the testing performed. Nine of the universities had documented records of this, but one university did not document the lessons learned.
RecommendationUniversities should formally document the outcome of their Cyber Incident Response Plan testing to make sure that lessons from the exercise are learned. |
Appendices
Appendix one – List of 2023 recommendations
Appendix two – Status of 2022 recommendations
Appendix three – Universities' controlled entities
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.