Report snapshot
About this report
Financial audit results of the NSW public universities’ financial statements for the year ended 31 December 2024.
Findings
Unmodified audit opinions were issued for all ten universities.
Six universities reported net deficits in 2024, compared to eight in 2023. Nine universities’ net results improved from 2023.
The main driver of revenue growth in 2024 was a 25.5% increase in fees and charges revenue from overseas students, due to increased enrolments of 18.9%. Revenue from domestic students increased by 12%, however, enrolment numbers remain below 2020 levels.
In 2024, revenue growth of 14.9% exceeded the 9.4% growth rate of expenses. However, universities are still recovering from the shortfalls experienced in 2022 and 2023 following financial disruptions caused by the COVID-19 pandemic.
Half of the universities show indicators of financial risk in the form of liquidity ratios of less than one and having less than three months of cash reserves to fund operating and financing activities.
The number of reported audit findings has decreased from 111 in 2023 to 98 this year. Most control deficiencies related to information technology /cyber security, governance, and payroll.
Universities are not consistently following their own procedures for recording cyber incidents, data breaches and privacy breaches.
Data breaches that required mandatory notification resulted in unauthorised access and disclosure of personal information, and mainly caused by phishing attacks and human error.
Recommendations
Universities should:
- finalise mitigating actions to address the risk of future wage underpayments and prioritise repayments to affected staff
- adequately prepare themselves to comply with the climate disclosure requirements under NSW Treasury’s reporting framework
- clearly document the requirements for business cases and post-completion reviews for capital projects
- comply with established processes when recording cyber security incidents and data breaches
- require staff to complete cyber security training regularly, include simulated phishing attacks and provide students with basic cyber security training
- create a central artificial intelligence (AI) inventory, establish and implement an AI policy and consider the benefits of establishing an AI strategy.
Fast facts
1. Executive summary
Introduction
This report presents the results of our 31 December 2024 financial audits of public universities and their controlled entities in New South Wales (NSW). It includes analysis, observations and recommendations in the following areas:
- audit results
- financial performance
- internal controls and governance
- enrolments and teaching outcomes
- cyber security
- use of artificial intelligence (AI).
Ten public universities in NSW are under State legislation. Their core functions are to provide education and research services. Other functions include commercial development and revenue generation in connection with promoting the university’s objectives. In 2023 (the most recent available data), these universities received $3.9 billion in Australian Government funding, representing 28.8% of the total Australian Government funding to Australian universities of $13.4 billion.
Audit results
Unmodified audit opinions were issued for all ten universities’ 2024 financial statements
All audits of universities and their controlled entities received unmodified opinions, except for one controlled entity. A qualified opinion due to a limitation of scope was issued for Stornaway Pty Limited, a controlled entity of The University of Sydney. It related to a lack of supporting evidence for certain balances which predated the university’s control of the entity.
Provisions for wage remediation decreased by 10.5% to $164 million at 31 December 2024
Eight universities provided for wage remediation liabilities (the same number in 2023). In 2024, universities collectively remediated $28.5 million to staff identified as being underpaid.
Four universities reported they have already implemented procedures to mitigate the risk of future staff underpayments, while six universities are in the process of implementing mitigating actions.
Universities are preparing for climate reporting requirements
Universities’ self-assessments on climate reporting readiness indicate that they are starting to prepare for upcoming disclosure requirements under NSW Treasury’s ‘Reporting framework for first year climate-related financial disclosures’ (TPG24-33). These include the areas of governance, strategy, risk management, and metrics and targets.
Financial performance
Six universities reported net deficits in 2024, compared to eight in 2023
Nine universities’ net results improved from 2023, with the sector reporting an overall net surplus of $583 million in 2024, an improvement from the $93 million net deficit (adjusted) in 2023.
The key movements in the 2024 results included an increase in fees and charges revenue of $1.2 billion and increased government grants of $257 million, which were offset by increased employee-related expenses of $744 million. All revenue streams recorded a growth in 2024.
Universities’ combined revenue totalled $14.3 billion in 2024, an increase of $1.9 billion
The main contributor to this increase was revenue from overseas students, which increased by 25.5%, as the number of overseas student enrolments increased by 18.9%. Revenue from domestic students increased by 12%, however, enrolment numbers remain below 2020 levels.
In 2024, all universities experienced an increase in overseas student revenue ranging from 1.1% to 60.8%, compared to 2023. The increase was driven by a number of factors, including the ongoing post-pandemic recovery, growing demand from key source countries such as China and India, and policy changes related to visas and work regulations in other leading countries for international students. University of New South Wales had the highest growth of $534 million.
Over 43% of fees and charges revenue came from overseas students from three countries
This proportion increased from 40.5% in 2023. The top countries of student origin in 2024 were China, India and Vietnam (China, India and Nepal over the previous five years). As reported in previous Auditor-General’s reports to Parliament, a high level of reliance on student revenue from a limited number of key source countries of origin poses a concentration risk for NSW universities. China is the leading source of overseas student revenue for six universities.
Combined expenses totalled $13.7 billion in 2024, an increase of $1.2 billion
Most of this increase was attributed to higher employee-related expenses, which grew by 10.7%. This was in line with a six per cent growth in full-time equivalent (FTE) staff numbers and wage increases.
The ratio of employee-related expenses to total income from continuing operations for NSW universities dropped from 57% in 2022 to 54% in 2024, as the growth in revenue from fees and charges has outpaced the growth in employee-related expenses.
Growth in combined revenue was 14.9%, exceeding growth in combined expenses of 9.4% in 2024
The post-pandemic recovery became more evident in 2024, with revenue growth significantly outpacing expense growth. However, universities are still recovering from the shortfalls experienced in 2022 and 2023 following the financial disruptions caused by the COVID-19 pandemic.
Changes to student visa processing may impact overseas student enrolments from 2025
Universities forecast the strong growth in overseas student enrolments and revenue is unlikely to continue due to recent changes to student visa processing. These include an increase in rejection rates of student visas and the introduction of Ministerial Direction 111, which re-prioritises student visa processing among universities.
Half of the universities show indicators of financial sustainability risk
Five universities have an adjusted liquidity ratio of less than one, which indicates insufficient liquid assets to meet short-term liabilities. Six universities (including the five just mentioned) have less than three months of cash reserves to fund operating and financing activities. Seven universities have shown a decreasing cash expense cover ratio over the last three years. These unfavourable indicators combined may signal financial sustainability risk.
Universities should clearly document the requirements for business cases and post-completion reviews for capital projects
Universities wrote off a combined $7.5 million of capital works in progress in 2024. The main reason for the write-offs was project cancellations resulting from changes in strategic priorities.
Six universities do not have a documented policy or procedure that sets out requirements for completing business cases and post-completion reviews for capital projects. In some cases, these activities were completed as a matter of business practice, but this was not consistently applied.
Ten projects relating to six universities with a combined budget of $64 million did not include a post-completion review. This makes it more difficult to evaluate whether the capital project was fit for purpose or achieved its objective.
Four universities do not track building utilisation rates using a clearly defined process
Three universities do not have a documented policy that specifically covers how they manage and monitor building or physical space utilisation. Without accurate and relevant building utilisation rates, there is a risk that universities are engaging in unnecessary capital works which are costly and disruptive. Alternatively, underutilised spaces could result in foregone revenue.
Universities generated $4.8 million in revenue from commercialising intellectual property
Universities received $1.8 billion in 2023 to conduct research and development. Research outcomes may produce intellectual property that universities can commercialise if they have the rights to the intellectual property. Universities recognised $4.8 million in revenue from intellectual property in 2024 and reported owning $4.2 million in intellectual property assets.
Internal controls and governance
The number of reported audit findings decreased by 12%
In 2024, we identified 98 audit findings across the ten NSW universities (111 in 2023). We identified 38 repeat findings, and the need for improvements to user access management and managing privileged user accounts were repeat findings for five universities.
Sixty-two per cent of control deficiencies were related to information technology / cyber security, governance and payroll
One high-risk finding related to a lack of monitoring of privileged user activities over multiple information systems. The university subsequently addressed this matter by 31 December 2024.
We identified deficiencies in managing user access to key systems at seven universities, and six universities did not formalise and/or regularly review all key governance, financial, or information technology (IT) policies and procedures.
Enrolments and teaching outcomes
Enrolments in 2024 exceeded pre-COVID-19 enrolments for the first time
Overall enrolments increased by 24,212 equivalent full-time study load (EFTSL) students in 2024, from 285,680 to 309,892. This was mainly driven by an increase in overseas student numbers.
The field of education with the largest EFTSL increase in 2024 was IT, Engineering and Related Technologies, with a 15.5% increase.
Enrolment of students from low socio-economic status backgrounds remained steady in 20231
In five universities, enrolments of students from low socio-economic status (SES) backgrounds represented more than 20% of domestic undergraduate students in 2023. The overall percentage of domestic undergraduate students from low SES backgrounds was 15.8% – below the Australian Government target of 20%.
Enrolment of Aboriginal2 students increased as a percentage of total domestic student enrolments in 20231 – but this is not a real increase in numbers
Aboriginal students represented 2.5% of total domestic student enrolments in 2023, up from 2.4% in 2022. However, the overall number of Aboriginal students decreased by 1.9% from 7,397 to 7,256 over this period. Meanwhile, there was a greater decrease of 3.4% in the overall number of domestic students.
Cyber security
Cyber security incident management, reporting and training needs improvement
The increasing frequency and sophistication of cyber security attacks remains a key risk for universities.
Key findings include:
- the recording of cyber security incidents and privacy breaches needs improvement so management understands the root causes of incidents and can better direct corrective action
- the data breaches subject to mandatory notification were related to unauthorised access and disclosure, and mainly caused by phishing attacks and human error
- universities’ cyber security training rates are low and the training excludes students
- simulated phishing attacks are not used by three universities for training, despite phishing being the most prevalent cyber attack method.
Use of artificial intelligence
Artificial intelligence use varies widely across universities
The number of AI products implemented by universities varies widely. Among the universities that have knowledge of all the AI products they have implemented, one reported utilising up to 60, including those in the pilot phase, while others reported having as few as five.
Four universities have not identified and documented all the AI products they have implemented.
Some universities have not adopted an artificial intelligence policy
Three universities have yet to establish formal AI policies or embed the consideration of AI into existing policies. One of these reported that its policy was under development at the time of our review.
Universities can better integrate artificial intelligence into their governance and risk management frameworks
While most universities have AI policies, they need to more effectively integrate AI into their governance frameworks to address the specific and unique risks posed by AI. This includes evaluating AI’s broader impacts on accountability structures, policies and procedures (such as IT, procurement, risk management), and monitoring and reporting systems.
Most universities lack a strategy to help maximise the benefits artificial intelligence can offer
While eight universities recognise AI’s strategic impact and list it as a strategic risk, only four have a strategy for AI or have embedded this into an existing strategy. More focus on the strategic use of AI could help maximise benefits from AI and ensure AI aligns with the universities’ objectives.
Recommendations
Common reporting issues
Universities should:
- finalise mitigating actions, where not already completed, to address the risk of future wage underpayments, and prioritise remediation of wage underpayments to affected employees
- adequately prepare themselves to comply with the climate disclosure requirements set out in NSW Treasury’s reporting framework TPG24-33.
Financial sustainability
- Universities should clearly document the requirements for business cases and post-completion reviews for capital projects. These should consider the long-term strategic objectives of the university to minimise the risk of wastage of public resources.
Cyber security
Universities should:
- comply with their established processes when recording cyber security incidents and data breaches, and regularly provide senior management with relevant reports detailing significant cyber security issues and metrics
- require staff to complete cyber security training on a regular basis
- provide students with a basic level of cyber security training
- perform simulated phishing attacks as part of cyber security training.
Artificial intelligence
Universities should:
- create a central AI inventory to document its purpose, uses and limitations for transparency, oversight and accountability
- establish and implement an AI policy, and embed the consideration of AI use into governance and risk management frameworks
- consider the benefits of developing an AI strategy to support the co-ordination of AI initiatives with strategic objectives.
1 Enrolment statistics for 2024 are not expected to be available from the Australian Department of Education until late 2025.
2 In this report, the term Aboriginal people is used to describe Aboriginal and Torres Strait Islander peoples. The Audit Office of New South Wales acknowledges the diversity of traditional Nations and Aboriginal language groups across the state of New South Wales.
2. Introduction
2.1. Overview of NSW universities
Ten public universities in NSW are under State legislation. Their core functions are to provide education and research services. Other functions include commercial development and revenue generation in connection with promoting the university’s objectives.
Across Australia, there are 43 universities: 38 public universities and five private universities. Universities receive funding from the Australian Government in accordance with the Higher Education Support Act 2003 (Cth) and are regulated by the Australian Department of Education through the Tertiary Education Quality and Standards Agency (TEQSA). TEQSA is the national independent regulator of higher education providers, including universities. In 2023 (the most recent available data), the NSW public universities received $3.9 billion in Australian Government funding, representing 28.8% of the total Australian Government funding to Australian universities of $13.4 billion.
At State level, the NSW Department of Education administers the legislative responsibilities of the State’s public universities, develops policies related to higher education in NSW and manages stakeholder relations with universities. The Government Sector Finance Act 2018 (GSF Act) requires universities to prepare annual financial statements and provide these to the Auditor-General for auditing.
2.2. 2024 snapshot
* Equivalent Full-Time Student Load (EFTSL) represents the equivalent full-time study load for one year.
** Full-Time Equivalent (FTE). These numbers include staff of universities’ controlled entities, which do not all provide academic services.
Source: Audit Office analysis, student and staff numbers are provided by universities (unaudited).
3. Audit results
Financial reporting is an important element of good governance. Confidence in, and transparency of, university sector decision-making are enhanced when financial reporting is accurate and timely.
This chapter outlines the 2024 financial reporting audit results of NSW universities.
Chapter highlights
|
3.1. Quality of financial reporting
Audit results
Unmodified audit opinions were issued for all ten NSW universities
Unmodified audit opinions were issued for all ten universities’ 31 December 2024 financial statements. Sufficient and appropriate audit evidence was obtained to conclude that the financial statements were free of material misstatement.
Unmodified audit opinions were issued for all audits of university-controlled entities except one
Of the 74 university-controlled entities in 2024:
- 50 received unmodified audit opinions
- 1 received a qualified audit opinion
- 23 were exempt from the Government Sector Finance Act 2018 (GSF Act) reporting requirements.
The University of Sydney’s controlled entity, Stornaway Pty Limited, received a qualified opinion in 2024 due to a limitation of scope relating to a lack of supporting evidence for certain balances which predated the university’s control of the entity.
Division 2 of the Government Sector Finance Regulation 2024 (GSF Regulation 2024) exempts certain entities from preparing financial statements under the GSF Act if all of the following criteria are met:
- the assets, liabilities, income, expenses, commitments and contingent liabilities of the entity are each less than $5 million
- total cash or cash equivalents held by the entity is less than $2.5 million
- if the entity has income, at least 95% of the entity’s income is derived from money paid out of the Consolidated Fund or from money provided by other GSF agencies
- the entity does not administer legislation for a Minister by or under which members of the public are regulated.
These provisions exempted 23 university-controlled entities from GSF Act reporting requirements in 2024 (11 were exempted from GSF Act reporting requirements in 2023 under Division 2 of the Government Sector Finance Regulation 2018). More entities were exempt in 2024 as NSW Treasury amended the issues relating to small entity exemption criteria through updates to the GSF Regulation 2024. Entities that are exempted from financial reporting obligations are not audited by the Auditor-General.
The number of monetary misstatements identified were fewer in 2024 but higher in gross values
A monetary misstatement is an error in an amount recognised in the financial statements initially submitted for audit.
We identified 16 monetary misstatements during the audits of universities’ financial statements in 2024 (24 in 2023). Twelve of these, with a gross value of $289 million, were corrected in 2024 (16 in 2023 with a gross value of $183 million). The remaining four, with a gross value of $14.2 million, were uncorrected (eight in 2023 with a gross value of $15.3 million).
The table below shows the number and quantum of monetary misstatements for the past two years.
| Number of misstatements | ||||
| Year ended 31 December | 2024 | 2023 | ||
| Corrected misstatements | Uncorrected misstatements | Corrected misstatements | Uncorrected misstatements | |
| Less than $50,000 | 0 | 0 | 0 | 0 |
| $50,000 to $249,999 | 1 | 0 | 0 | 0 |
| $250,000 to $999,999 | 0 | 0 | 2 | 2 |
| $1 million to $4,999,999 | 2 | 4 | 6 | 6 |
| $5 million and greater | 9 | 0 | 8 | 0 |
| Total number of misstatements | 12 | 4 | 16 | 8 |
Source: Statutory Audit Reports issued by the Audit Office.
Of the 12 corrected monetary misstatements in 2024, nine had a gross value greater than $5 million. In general, they related to:
- inconsistent accounting treatments relating to reclassification of asset revaluation reserves to retained earnings ($120 million)
- reductions in the fair value of land to reflect restrictions that were not considered in previous valuations ($72.6 million)
- recognition, de-recognition and reclassifications of cash, investment and derivatives balances ($62.7 million)
- recognition of employee underpayment provisions ($13.2 million)
- deferral of revenue recognised previously for work yet to be performed ($13.1 million).
3.2. Timeliness of financial reporting
All entities met the statutory timeframe for submitting draft financial statements for audit
All ten universities and their controlled entities met the reporting deadlines for their 2024 financial statements.
The Treasurer’s Direction TD 21-03 ‘Submission of Annual GSF Financial Statements for NSW public sector agencies that are not included in TD21-02’, issued on 12 June 2024, requires reporting GSF agencies to submit their draft financial statements for audit within six weeks following the end of the annual reporting period.
The Audit Office’s Independent Auditor’s Reports on universities reporting’ financial statements for 2024 were issued between 26 March 2025 and 23 April 2025. Audit completion dates are presented in the following diagram.
Note: Audit completion dates for the University of New England were the same in both years.
Source: Independent Auditor’s Reports issued by the Audit Office.
3.3. Common reporting issues
Wage remediation provisions
Wage remediation provisions decreased by 10.5% in 2024
NSW universities recorded provisions of $164 million in aggregate at 31 December 2024 ($183 million in 2023) relating to the historical underpayment of staff wages and entitlements. This balance represented estimates of amounts still owing, or likely to be owing, to staff the universities identified as at risk of having been underpaid. Eight universities have provided for wage remediation liabilities (the same number in 2023).
Complexity in enterprise agreements and inconsistent interpretation of the terms within those agreements has contributed to inaccuracies in some payments made to certain staff for several years. Some universities are also reviewing compliance with the relevant Commonwealth legislation, such as the Superannuation Guarantee (Administration) Act 1992, as a flow-on effect. While the universities will not seek to recover overpayments to their staff, they accept the need to redress underpayments.
While conducting reviews of compliance with enterprise agreements in 2024, six universities engaged an expert to assess the full scale of underpayment. Of these six universities, five identified new underpayment issues.
In 2024, universities collectively repaid $28.5 million to staff they identified as underpaid ($9.7 million in 2023). The overall decrease in provision was due to increased remediation payments made during the year and reversal of previously overprovided amounts. These were partially offset by identification of further instances and new categories of underpayments amounting to $35.3 million.
Four universities reported having implemented procedures to mitigate the risk of future staff underpayments, while six universities are in the process of implementing mitigating actions. Generally, such actions include:
- reviewing and updating pay codes to comply with enterprise agreements and other regulatory requirements
- provision of training and guidance materials on current pay practices
- payroll system configurations to ensure accurate timekeeping
- ongoing monitoring and reporting of compliance.
RecommendationWhere not completed, universities should finalise mitigating actions to address the risk of future wage underpayments, and prioritise remediation of wage underpayments to affected employees. |
Climate reporting
The introduction of climate-related financial disclosures (climate disclosures) required by NSW Treasury’s policy and guidelines TPG24-33 Reporting framework for first year climate-related financial disclosures (TPG24-33) is a significant reporting reform for the NSW university sector. The scope of TPG24-33 includes NSW universities that are captured as GSF agencies for financial reporting and annual reporting purposes under the GSF Act. The reporting and assurance of climate disclosures aims to increase transparency of universities’ exposure to the impacts of climate change and enhance accountability over strategies to respond to climate risks and opportunities.
The framework in TPG24-33 sets out the minimum content requirements for the first year of mandatory climate disclosures reporting for NSW universities. It is largely based on the Australian Accounting Standards Board’s (AASB) Australian Sustainability Reporting Standard (ASRS) – AASB S2 Climate-related Disclosures and requires select universities in calendar year 2025 to prepare disclosures on climate governance, strategy, risk management, and metrics and targets (including emissions reporting). The requirement to prepare full disclosures is to be phased in over the coming years in line with the Treasury’s annual reporting guidance.
The following table summarises the climate-related areas that TPG24-33 requires universities to provide disclosures on.
| Climate disclosure pillar | Content objective |
| Governance | To enable the users of the report to understand the governance processes, controls and procedures the university uses to monitor, manage and oversee climate-related risks and opportunities. |
| Strategy | To enable users of the report to understand the university’s strategy for managing climate-related risks and opportunities. These disclosures require information that enables users of the report to understand the climate-related risks and opportunities that could reasonably be expected to affect the university’s financial prospects and achieve its objectives. |
| Risk management | To enable users of the report to understand the university’s processes to identify, assess, prioritise and monitor climate-related risks and opportunities, including whether and how those processes are integrated into and inform the university’s overall risk management process. |
| Metrics and targets | To enable users of the report to understand the university’s performance in relation to its climate-related risks and opportunities, including progress towards any targets the agency has set, and any targets it is required to meet by law, regulation or government policy. These disclosures require information on the university’s scope 1 and scope 2 greenhouse gas emissions, as defined in TPG24-33, for the reporting period. |
Source: NSW Treasury’s TPG24-33 Reporting framework for first year climate disclosures.
In accordance with TPG24-33, for calendar year 2025, University of New South Wales and The University of Sydney will be required to include climate disclosures in their annual reports, or produce a stand-alone climate report. It will be mandatory for these universities to have climate disclosures audited for the 2026 calendar year. Other universities will be required to prepare climate disclosures in subsequent years.
University self-assessments indicate areas of improvement for climate governance, strategy, risk management and metrics reporting
We engaged with universities in a self-assessment exercise to evaluate their climate governance, strategy, risk management and reporting practices. This initiative aimed to gauge their overall readiness to prepare the comprehensive climate disclosures on these activities that will be required by TPG24-33. The results were encouraging, with most universities demonstrating significant progress in these areas. However, the evaluation also highlighted specific areas where some universities could improve to meet emerging climate disclosure requirements effectively.
Governance
Universities have implemented governance and monitoring oversight processes over climate risk, although improvements are required for some universities
All universities evaluate the impacts of climate-related matters at the Executive Leadership Team level. However, only seven universities have:
- dedicated management roles or committees for overseeing climate risks and opportunities
- assigned roles and responsibilities for making climate-related decisions and management.
Universities should ensure that climate risk governance, including roles and responsibilities for climate risk-related decisions and management, are embedded within their governance structures.
Strategy and risk management
Improvements can be made to how universities incorporate climate risk into organisation strategy development and risk management
Capturing climate risk within a university’s strategy and risk management processes is crucial for ensuring long-term sustainability and resilience. Integrating climate risk allows universities to anticipate and mitigate potential impacts on their operations and financial performance. There is room for improvement and the evaluation indicates that:
- 2 universities have not considered climate-related matters in their strategic, corporate or sustainability plans
- 2 universities have not incorporated climate risk considerations into their overall strategy, and risk management processes and policies
- half of all universities had developed climate risk and opportunity statements
- 3 universities are in the process of performing climate risk assessments and developing responses
- 7 universities have not determined the financial effects of climate risk on their operations.
Universities should proactively integrate climate risk into their strategy and risk management processes, ensuring that formal climate-related risks and opportunity assessments are completed, and the financial effects of climate risks are formally quantified.
Metrics and targets
All universities but one have established targets and metrics and report greenhouse gas emissions results
All universities have established climate-related targets and metrics and are collating data for scope 1 and scope 2 greenhouse gas emissions reporting. Seven out of the ten universities have taken steps to engage external experts to validate emissions data. However, one university has not begun tracking or reporting on emissions.
All universities should ensure that systems and processes are in place to monitor, analyse and report greenhouse gas emissions effectively.
RecommendationUniversities should adequately prepare themselves to comply with the climate disclosure requirements set out in NSW Treasury’s reporting framework TPG24-33. |
4. Financial performance
Financial performance is a measure of an organisation’s ability to use its resources to generate revenue and manage expenses while maintaining appropriate levels of net assets and cash flows.
Financial performance also encompasses financial sustainability, which is the ability to meet current and future financial obligations without reducing essential services or borrowing money to fund successive operational deficits. This is achieved by ensuring that over the medium and longer term, revenue is sufficient to cover expenses, cash flow and risks are well managed, long-term financial planning is effective and sources of revenue are diverse.
This chapter presents our observations on the financial performance of universities in 2024.
Chapter highlights
- 6 universities reported net deficits in 2024 (eight in 2023). Nine universities’ net results improved from 2023.
- Growth in combined revenue increased by $1.9 billion (14.9%) and exceeded growth in combined expenses of $1.2 billion (9.4%) from 2023.
- Revenue from overseas students increased by 25.5% in 2024, as the number of overseas student enrolments increased by 18.9%. Revenue from domestic students increased by 12% in 2024, however, enrolment numbers remain below 2020 levels.
- 43.3% of fees and charges revenue in 2024 came from overseas students from three countries (up from 40.5% in 2023).
- 63% of the increase in combined expenses was attributed to higher employee-related expenses.
- 5 universities have an adjusted liquidity ratio of less than one, which indicates insufficient liquid assets to meet short-term liabilities. Six universities (including the five previously mentioned) have less than three months of cash reserve to fund operating and financing activities.
- 6 universities do not have a documented policy on key governance processes for capital projects, covering requirements for business cases and post-completion reviews.
- Universities do not have clearly defined processes to calculate and monitor building utilisation rates, and this may result in suboptimal use of teaching and office space.
4.1. Financial results
Nine universities reported higher net results in 2024
The university sector reported an overall net surplus of $583 million in 2024, an improvement from the $93 million net deficit (adjusted) in 2023. Four universities reported positive net results in 2024 (two in 2023). Nine universities’ net results improved from 2023.
Earnings before interest, tax, depreciation and amortisation (EBITDA) is an alternative measure of financial performance that excludes factors like debt financing, non-cash expenses and taxes, and allows for easier comparison of entities with different capital structures or tax situations. It can also be a useful indicator of operational cash flow.
The graph below shows the net results and EBITDA of individual universities for 2023 and 2024. When comparing the financial performance of universities in this report, the impacts of how universities accounted for franking credits arising from the in-specie distribution of IDP Education Limited shares by Education Australia Limited have been excluded from each university’s results in 2023.
Source: Universities’ consolidated financial statements (audited).
Key movements in the universities’ 2024 results included an increase in:
- fees and charges of $1.2 billion for all universities, with University of New South Wales recording the highest increase of $594 million in 2024
- combined government grants of $257 million
- combined investment income of $252 million, with all but one university experiencing positive investment gains in 2024
- combined employee-related expenses of $744 million.
For NSW universities, the difference between individual net results and EBITDA is largely due to the impact of depreciation and amortisation, which varies across the universities based on the size of their property, plant and equipment (PPE) and intangible assets. All universities have positive EBITDA except for one, University of New England, which had negative EBITDA in both 2023 and 2024.
The graph below presents the revenue and expenses for each university in 2024.
Source: Universities’ consolidated financial statements (audited).
Movements in revenue and expenses for each university, and for the sector as a whole, are analysed later in this report.
Revenue from operations
Note: Government grants do not include Higher Education Loan Programs, such as Higher Education Contribution Scheme (HECS), which are included in fees and charges.
Numbers above have been rounded to the nearest $1 million.
Source: Universities’ consolidated financial statements (audited).
Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Source: Universities’ consolidated financial statements (audited).
Universities’ combined revenue increased by $1.9 billion (14.9%) in 2024
Combined revenue for universities totalled $14.3 billion in 2024, an increase of $1.9 billion (14.9%) from 2023. This was mainly driven by an increase of $1.2 billion in fees and charges due to the increase in overseas student enrolments (16,726 more overseas equivalent full-time student load (EFTSL) than in 2023), a $257 million increase in government grants and a $252 million increase in investment income. As in 2023, fees and charges continued to represent over half of universities’ total revenue in 2024. The movement in fees and charges revenue is further explained on page 19 of this report. Returns on The University of Sydney’s investments represent over 59% of the universities’ total combined investment income.
Government grants represented 30.1% of universities’ combined revenue in 2024
Aggregated Commonwealth, State and local government grants revenue to NSW universities increased to $4.3 billion in 2024 ($4.1 billion in 2023).
In previous years, various higher education reforms were proposed by the Australian Government to manage the cost of tertiary education and to reduce universities’ reliance on government grants. Combined government grants as a proportion of the total revenue of universities was 31.1% in 2019. From 2020, additional grant funding was provided to assist universities in response to the COVID-19 pandemic, which increased the proportion of grant funding compared to total revenue. In 2024, while the dollar value of government grants increased slightly, the percentage of government grants to total revenue decreased from 32.5% in 2023 to 30.1%. This was mainly due to a $1.2 billion increase in universities’ fees and charges compared to the previous year, which had the effect of reducing the overall proportion of grant funding.
All revenue streams recorded a growth in 2024
The graph below presents the aggregated revenue streams for all NSW universities from 2020 to 2024.
Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Source: Universities’ consolidated financial statements (audited).
Revenue from fees and charges recorded the strongest growth in 2024, increasing by $1.2 billion or 19.5% from 2023. This was mainly due to the increase in overseas student enrolments. For eight universities, fees and charges increased the most in 2024 compared to other revenue streams. Since 2020, fees and charges revenue increased by 30.3% across the sector.
Over the past five years, government grants revenue had the smallest growth rate of 16.3%.
The following graph shows major revenue streams by university in 2024. Three universities (the same number in 2023) received over 40% of their total revenue from government grants.
Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Source: Universities’ consolidated financial statements (audited).
In 2024, nine universities received an increase in government grants from the prior year. The change in revenue from government grants at individual universities varied from a decrease of 2.1% to an increase of 15.1%.
The graph below shows Commonwealth, State and local government grants received by the universities in 2024, and the percentage change from 2023.
Note: Government grants do not include Higher Education Loan Programs, such as HECS, which are included in fees and charges.
Source: Universities’ consolidated financial statements (audited).
Trends in fees and charges revenue for NSW universities from 2020 to 2024 are presented in the following graph.
Source: Universities’ consolidated financial statements (audited).
All universities had increased fees and charges revenue in 2024. University of New South Wales has had increased fees and charges since 2021. It returned to pre-pandemic levels in 2023 (3.3% higher than in 2019) and, when compared to other universities, recorded the highest growth of 43.1% in 2024, largely due to an increase in overseas student revenue ($534 million) driven by a 46.3% increase in the number of overseas EFTSL students. The University of Sydney’s fees and charges revenue was not significantly impacted by the pandemic; it was the only university that recorded an increase in fees and charges revenue in 2021 (18.1% increase from 2020), and it has steadily increased its fees and charges to a high of $2.1 billion in 2024. Three universities’ fees and charges revenue has not yet returned to pre-pandemic levels. However, this is an improvement compared to eight universities reported in 2023.
In 2024, total course fee revenue increased by 25.5% from overseas students and 12% from domestic students
Universities’ overseas and domestic student course fees and charges revenue for 2020 to 2024 are presented in the following graph.
Note: Revenue from domestic students includes amounts from Higher Education Loan Programs, such as HECS, but does not include government grants for domestic students comprising the Commonwealth Grant Scheme (CGS) funding for Commonwealth Supported Places.
Source: Universities’ consolidated financial statements (audited).
In 2024, all universities had an increase in overseas student revenue, ranging from 1.1% to 60.8%, compared to 2023. The increase of $927 million in overseas student revenue in 2024 was driven by a 18.9% increase in the number of overseas EFTSL students (from 88,667 EFTSL in 2023 to 105,393 in 2024). Nine universities increased their overseas student enrolments in 2024 (the same number in 2023). The increase was driven by a number of factors, including the ongoing post-pandemic recovery from 2023, growing demand for quality education from key source countries such as China and India, policy changes related to visas and work regulations in other leading countries for overseas students, improved world rankings for some universities in 2023 and student recruitment strategies.
Since 2023, the number of domestic EFTSL students increased by 3.8%, with eight universities experiencing an increase in domestic students in the current year. However, over a five-year period, the number of domestic EFTSL decreased from 207,538 in 2020 to 204,499 (a 1.5% decline). Over these five years, course fees and charges revenue from domestic students grew by $332 million (15%). The financial impact of decreased student numbers has been offset by increases in average student fees for domestic students.
The graph below shows the movement in domestic student enrolments and average revenue per domestic EFTSL student between 2020 and 2024.
Note: Average revenue per domestic EFTSL student includes amounts from Higher Education Loan Programs, such as HECS, but does not include government grants for domestic students comprising the CGS funding for Commonwealth Supported Places.
Note: EFTSL have been restated in 2021, 2022 and 2023 based on updated numbers provided by universities.
Source: Universities’ consolidated financial statements (audited), student numbers provided by universities (unaudited).
The graph below shows the movement in EFTSL student enrolments between 2024 and 2023. Compared to 2023, eight universities experienced growth in domestic student enrolments in 2024, and nine universities experienced growth in overseas student enrolments. University of New England was the only university to experience decreases in both domestic and overseas student enrolments in 2024.
Source: Provided by universities (unaudited).
In comparing average revenue per EFTSL student, universities earn nearly twice as much from overseas students compared to domestic students. In aggregate for NSW universities in 2024, average revenue per domestic EFTSL student (including amounts from Higher Education Loan Programs and CGS funding for Commonwealth Supported Places) was $23,919 ($22,753 in 2023). The average revenue per overseas EFTSL student was $43,359 ($41,082 in 2023).
The graph below shows the universities’ revenue from overseas and domestic students in 2024. Income from overseas students exceeded income from domestic students at The University of Sydney and University of New South Wales (same as in 2023). Overseas student revenue recorded by these two universities makes up over 66% of total overseas student revenue for all NSW universities.
Note: Revenue from domestic students includes amounts from Higher Education Loan Programs, such as HECS. Government grants for domestic students represents the CGS funding for Commonwealth Supported Places.
Source: Universities’ consolidated financial statements (audited).
All universities recorded increases in overseas student revenue compared to 2024. The movement in overseas student revenue in 2024 for each university is shown in the graph below.
Source: Universities’ consolidated financial statements (audited).
Movements in overseas student revenue were not consistent across the universities. Different universities attract overseas students from different countries of origin in varying proportions. Four universities’ QS World rankings (Macquarie University, University of Newcastle, University of Wollongong and Southern Cross University) improved in 2023, which may have helped these universities attract more overseas students in 2024. University of New South Wales recorded the highest percentage increase in overseas student revenue in 2024 from 2023 (60.8%), which the university attributed to its growing demand over the past years, mainly due to improvements in QS World rankings, recent policy changes in other countries for overseas students and strong academic offerings.
Over 43% of universities’ total revenue from fees and charges in 2024 came from overseas students from three countries
In 2024, overseas students contributed $4.3 billion in course fees to NSW universities ($3.4 billion in 2023), an increase of $838 million. Students from the top three countries of origin contributed $3.1 billion in fees ($2.5 billion in 2023), which slightly exceeds the universities’ total revenue from domestic students in 2024. These top three countries were China, India and Vietnam whereas in 2023 and for more than five years prior, they had consistently been China, India and Nepal. Although the number of students from Vietnam was lower than that from Nepal, the revenue generated from Vietnamese students was higher. Revenue from students from the top three countries comprised 43.3% (40.5% in 2023) of total student revenue for all universities, and 73.4% of total overseas student revenue in 2024.
As reported in previous Auditor-General’s reports, a high level of reliance on student revenue from a limited number of key source countries of origin poses a concentration risk for NSW universities. Unexpected shifts in demand arising from changes in the geopolitical or geo-economic landscape, or changes to visa approval rates or travel restrictions, can impact revenue, operating results and cash flow. The consequence of relying on revenue from overseas students when there is a lack of diversification in the countries of origin was realised as travel restrictions were implemented following the outbreak of COVID-19 in early 2020. While almost all universities’ revenue from overseas students was negatively impacted in 2020, there was a greater initial impact and less resilience in student revenue from some countries of origin over the following two years.
The graph below shows the parent universities’ revenue in 2024 from overseas and domestic student fees and charges.
Note 1: Revenue from domestic students includes amounts from Higher Education Loan Programs, such as HECS. Amounts have been rounded to the nearest $1 million.
Source: Total revenue from domestic and overseas students was sourced from universities’ parent financial statements (audited). Revenue from students by country of origin was provided by universities (unaudited).
Student enrolments from China continue to represent the largest share of overseas enrolments
The number of overseas student enrolments at NSW public universities increased from 122,603 in 2023 to 139,599 in 2024.
All universities continue to market their educational products in international markets, focusing on countries in Asia.
The graph below shows the composition of overseas student enrolments by country of origin in NSW public universities over the past five years. It illustrates that, in 2024, NSW public universities appear to have maintained similar sources of overseas student enrolments.
Note: Data for 2020 to 2023 have been restated to reflect overseas student enrolments for NSW public universities only.
Source: Australian Trade and Investment Commission, international student data.
For six of the ten universities, China is the leading source of overseas student revenue (seven in 2023). This creates a concentration risk for each university, and for the NSW university sector as a whole.
The graph below illustrates the relative reliance of each university on a single country for its overseas student revenue.
Source: Universities’ parent financial statements (audited). Revenue from students by country of origin was provided by universities (unaudited).
Among the seven universities for whom China was the leading source of overseas student revenue in 2023, four experienced a decrease ranging from one per cent to five per cent in overseas student revenue from China in 2024. One of the four universities was Macquarie University, for whom the top country of origin for overseas student revenue shifted from China to India in 2024. The top country of origin at Western Sydney University shifted from India to Nepal. Six universities recorded Vietnam as one of the top five countries of origin in 2024 (five in 2023).
Only three universities now rely on one country for over 40% of their overseas student revenue (compared to six universities in 2019). The highest proportion of overseas student revenue sourced from a single country of origin at individual universities ranged from 20% to 78% (24% to 79% in 2023).
Other revenue
With the exception of three universities, philanthropic contribution to universities increased
Universities and many of their controlled entities are registered as charities. They can attract significant donations and bequests from public, private and corporate philanthropists. Some bequests are tied to specific research activities, and in order to comply with the terms of the bequest, the university may not use the funds for other purposes.
Philanthropic contributions to universities decreased slightly, from $210.5 million in 2023 to $199.4 million in 2024 (by six per cent). However, seven universities experienced an increase in philanthropic contributions in 2024.
The University of Sydney and University of New South Wales attracted 62.4% of total philanthropic contributions in 2024 (69.2% in 2023). The newer, smaller and non-metropolitan universities were least able to attract donations.
The graph below presents donation revenue received by each university in 2024.
Source: Universities’ consolidated financial statements (audited).
Universities’ total research income was $1.8 billion in 2023
Research income statistics for 2024 are not available from the Australian Department of Education until December 2025, so there is a time lag in reporting this measure.
Universities’ total research income increased by $226 million (14.5%) in 2023 compared to 2022. The University of Sydney and University of New South Wales collectively attracted 65% of total research income for all universities (64% in 2022).
Expenses
NSW universities’ combined expenses for the year ended 31 December 2024 are shown below.
Note: The numbers above have been rounded to the nearest $1 million.
Source: Universities’ consolidated financial statements (audited).
Source: Universities’ consolidated financial statements (audited).
Universities’ combined expenses increased by 9.4% in 2024
Universities’ combined expenses totalled $13.7 billion in 2024, an increase of $1.2 billion (9.4%) from 2023. Most of this increase was due to higher employee-related expenses and other expenses.
The outbreak of the COVID-19 pandemic put immediate financial pressure on the sector and universities responded by implementing cost-saving measures. However, since 2022, universities’ combined expenses have been higher than pre-pandemic levels. In 2024, as universities continued normal operations, combined ‘other’ expenses (including travel and entertainment, staff development, consultants, and repairs and maintenance) increased by $309 million in 2024 to $4.1 billion.
Some key contributors to this year’s increase in other expenses included an increase of:
- $73.1 million (28.7%) in agents’ commission
- $61.2 million (19.6%) in repairs and maintenance expenses
- $19.4 million (11.3%) in consultant and professional services expenses
- $11.9 million (5.7%) in travel, entertainment and staff development expenses.
The total expenses for each university in 2024, and the change since 2023, are shown below.
Source: Universities’ consolidated financial statements (audited).
Expenses at all universities increased in 2024; the largest increase was in employee-related expenses. This accounted for 63.2% of the increase in expenses compared to the previous year. University of New South Wales and The University of Sydney recorded the largest increases in expenses of $460 million and $273 million respectively, including a combined $66.1 million increase in agents’ commission, which is consistent with the growth in overseas student revenue.
Employee-related expenses increased by 10.7% in 2024
Combined employee-related expenses for universities increased to $7.7 billion in 2024, up by $744 million (10.7%) from 2023. The movement was partially due to growth in full-time equivalent (FTE) staff numbers of 2,765 (6.4%), and wage increases in line with enterprise agreements, averaging 3.7% across the universities. Universities increased staffing levels to support growth in strategic projects, teaching and research activities and to improve student services.
Redundancy expenses increased from $25.6 million in 2023 to $44.2 million in 2024, reflecting an increase in the number of positions either made redundant or provided for redundancy, from 312 to 501.
The graph below shows the key components of expenses for each university in 2024.
Source: Universities’ consolidated financial statements (audited).
Employee-related expenses represent the major portion of expenses at each university and range between 51% to 62% of total expenses.
Employee-related expenses to total income from continuing operations ratio
This ratio shows the proportion of total income that is spent on employee-related costs. A low ratio suggests that more income is available for non-employee-related costs. However, it may also indicate potential understaffing risks.
The ratio of employee-related expenses to total income from continuing operations for NSW universities from 2020 to 2024 is shown in the graph below.
Formula used to calculate the ratio: Employee-related expenses divided by total income from continuing operations.
Source: Universities’ consolidated financial statements (audited).
This ratio for NSW universities dropped from 59% in 2020 to 49% in 2021, reflecting cost-saving measures taken by the universities in response to the financial pressures caused by the COVID-19 pandemic. It rose to 57% in 2022 as universities increased staffing levels, while the combined total course fee revenues returned to pre-pandemic levels. Since then, the ratio has gradually decreased to 54% in 2024, as the increase in fees and charges, driven by higher overseas student enrolments, outpaced growth in employee-related expenses.
4.2. Financial sustainability
Universities must be financially sustainable to adapt to economic changes, such as fluctuations in student enrolments, shifts in government funding and other movements in the geopolitical environment. As detailed earlier in this chapter, more than half of NSW universities continued to report financial losses in 2024. To date, three NSW universities have announced plans to lay off hundreds of staff in response to current and budgeted deficits. There is recent uncertainty as to whether research grants received by some NSW universities from the United States Government will be paused or cancelled in coming years.
A key indicator of financial sustainability is the relationship between revenue growth and expenses growth. Sustained financial health is achieved when revenue growth consistently meets or exceeds the growth in expenses.
The graph below shows the cumulative growth rate movement in combined revenue and expenses of universities over the past six years. Growth rates in the graph refer to 2018 as the base year.
Source: Universities’ consolidated financial statements (audited).
The impact of COVID-19 saw universities experiencing a higher growth in combined expenses compared to revenue in 2020. Cost saving measures were implemented in response to the pandemic, with cumulative revenue growth exceeding expenses for the first time since COVID-19 in 2021. Since then, and only up until 2024, expense growth for universities were at a higher rate than revenue growth. Sustained levels of higher growth in expenses can impact the financial health of universities.
Changes to student visa processing may impact overseas student enrolments from 2025
The introduction of Ministerial Direction 111 ‘Order for considering and disposing of offshore Subclass 500 (Student) visa applications’ and the redistribution of Australian Government funding to regional universities, as outlined in the Australian Universities Accord recommendations, is likely to have implications for universities, particularly metropolitan universities.
On 18 December 2024, the Assistant Minister for Citizenship and Multicultural Affairs introduced Ministerial Direction 111, which contained new arrangements for processing offshore student visa applications. Each higher education provider is allocated a priority threshold, which is set at 80% of the indicative allocation of new overseas student commencements as calculated by the Australian Department of Education in late 2024. Student visa applications are processed as high priority while the higher education provider is below the threshold, and move to standard priority once the threshold is exceeded.
The 2025 projections provided by the universities suggest the strong growth in overseas student revenue is unlikely to continue. Combined universities’ overseas student revenue is forecast to grow more slowly in 2025, rising by just $0.05 billion to reach $4.62 billion, compared to a $0.93 billion increase to $4.57 billion in 2024.
At 31 March 2025, four universities had reached their prioritisation threshold. This will likely lead to a slowdown of overseas student visa processing for these universities, which may decrease their expected levels of overseas student revenues. Universities are responding to these new challenges by considering the management of operating and capital expenses within existing cost structures. They are assessing the impacts of Ministerial Direction 111 on their financial capacity, flexibility, credit risk and long-term financial sustainability.
Universities have considered implementing the following measures:
- developing targeted marketing strategies to attract and retain international students (all universities)
- cost-saving measures (eight universities)
- looking for opportunities to increase domestic students (seven universities)
- deferring or cancelling capital projects (five universities)
- requesting additional funding (three universities).
The average student visa rejection rates at universities in NSW between 2021 and 2024 are shown in the graph below.
Source: Audit Office analysis based on data provided by universities (unaudited).
Rejections of student visas increased on average from four per cent in 2021 to 13.8% in 2024. The increasing trend may impact the growth rate of overseas student enrolments and revenue in future years.
Liquidity ratio
A liquidity ratio indicates the university’s capacity to meet financial obligations within its ordinary operating cycle. A benchmark ratio of one is generally used to indicate that there are sufficient liquid assets to meet short-term liabilities.
The liquidity ratio for NSW universities at 31 December from 2022 to 2024 is shown in the graph below.
Formula used to calculate the ratio: Current assets divided by current liabilities. This formula is consistent with the formula used in the Tertiary Education Quality and Standards Agency’s (TEQSA) risk assessment of registered higher education providers to assure higher education standards.
Source: Universities’ consolidated financial statements (audited).
When calculating an unadjusted current ratio, at 31 December 2024, only three universities reported a ratio above one. However, universities classify employee benefit provisions that are expected to be settled beyond 12 months as current liabilities. If these liabilities are excluded from the calculation because they are likely to be paid in the next operating period, and if non-current term deposits are included on the basis that they can be converted to cash at short notice (despite maturing at a later date), the adjusted liquidity ratios would be higher across all universities, with five universities having liquidity ratios above one. This is demonstrated in the extensions in the graph above.
Cash expense cover ratio
Six universities have less than three months of cash reserve to fund operating and financing activities
This ratio indicates the number of months a university can continue paying for its immediate expenses without additional cash inflow. A higher ratio indicates a stronger buffer against financial volatility and a higher degree of short-term financial resilience.
The cash expense cover ratio for NSW universities from 2022 to 2024 is shown in the graph below.
Source: Universities’ consolidated financial statements (audited).
Seven universities have shown a decreasing ratio over the last three years and, in 2024, six universities had a cash expense cover ratio below three months, highlighting increasing financial vulnerability. The same six universities also had a current ratio less than one in 2024. These two indicators combined may signal possible concerns about financial sustainability whereby universities would need to closely manage their financial resources. Four of those six universities also reported a net deficit in 2024.
Although the university sector overall has seen improved financial results in 2024 and some extent of recovery in student numbers following the COVID-19 pandemic, this has not been equally experienced by all universities. With the impacts of Ministerial Direction 111, universities forecast the strong growth in overseas student revenue is unlikely to continue. This means universities are likely to seek other avenues to diversify their revenue streams or contain their expenditure in order to continue operations sustainably.
Investments in property, plant and equipment and intangible assets ratio
This ratio indicates whether the university is sufficiently reinvesting in its PPE and intangible assets to sustain or grow its operations. A ratio below one suggests the university is not fully replacing its assets at the rate they are being depreciated / amortised.
The investments in PPE and intangible assets ratio for NSW universities from 2022 to 2024 is shown in the graph below.
Formula used to calculate the ratio: Cash outflows for property, plant and equipment and intangible assets, divided by depreciation and amortisation expenses.
Source: Universities’ consolidated financial statements (audited).
In 2024, six universities had an increasing ratio of investments in PPE and intangible assets relative to depreciation and amortisation, but five universities reported a ratio below one; most of these have been consistently below one over the past few years. This indicates that the current asset replacement levels at these universities are much less than the rate at which they are being depreciated. This may pose a risk to these universities’ long-term sustainability, with potential impacts on their teaching and research quality, student experience and overall competitiveness. For the universities that have a ratio greater than one, there is generally a correlation with a lower liquidity ratio (below one) as cash is invested in acquisition or build of non-current assets.
Capital project management
Universities reported $892 million in capital and intangible works in progress (WIP) as at 31 December 2024. Large and complex capital projects are at greater risk of delays due to scope or design changes, unexpected price increases, contractual or industrial disputes, and changes to strategic priorities. Effective governance over capital projects ensures:
- accountability for key decisions
- major expenditure is financially sustainable and consistent with strategic goals
- appropriate consideration of risks.
Six universities do not have a documented policy on key governance processes for capital projects
Six universities do not have a documented policy or procedure that sets out requirements for completing business cases and post-completion reviews for capital projects. One of these universities has a documented policy for preparing business cases only. Five of these universities advised that while they have no documented policy, they complete these activities as established business practice. However, these business practices are not consistently applied, as detailed below.
We reviewed key elements of universities’ project governance for the two largest completed capital projects for physical assets and the two largest completed capital projects for intangible assets.
Of the sampled projects, five projects at three universities with a combined budget of $6.3 million did not have a completed business case. The need to prepare a business case may depend on the risk assessment, objectives (for example, strategic or compliance) and proposed project cost. However, if the criteria are not clearly defined, then inconsistent practices may result.
Business cases enable decision-makers to understand the project scope and make an informed decision based on:
- how the proposed project aligns with strategic plans
- the different options and why the preferred approach is selected
- the costs and benefits, and how these will be measured post-completion
- the financial impacts on the university, including funding sources and procurement approach
- the risk assessment, and residual risk after mitigating actions taken
- plans for monitoring and evaluation during and after project completion.
Of the sampled projects, ten projects at six universities with a combined budget of $64 million did not include a post-completion review. This makes it more difficult to evaluate whether the capital project was fit for purpose or achieved its objective, especially where there may have been delays, budget overruns or scope variations from the original proposal.
Six universities reported delays in completing projects in line with original timeframes. The reasons for delays included:
- scope changes
- complexities arising from integration of information technology (IT) systems
- unavailability of contractors
- competing priorities.
Nine universities reported budget revisions or cost overruns due to scope and/or design changes, and unexpected increases in market costs. Post-completion reviews enable universities to formally assess the reasons for delays and cost overruns, and improve project management of future capital projects.
Universities wrote off $7.5 million of capital works in progress
Write-offs are costs that universities incur and capitalise as assets, but subsequently derecognise from assets as they no longer anticipate receiving future economic benefits from these costs. The total value of capital project write-offs decreased from $9.1 million in 2023 to $7.5 million in 2024. The main reason for writing off capitalised costs was project cancellations resulting from changes in strategic priorities.
Nine universities have $38.1 million in aged WIP more than three years old. The majority of aged WIP balances relate to construction projects that have a longer completion timeframe. Other reasons for aged WIP balances include work on-hold as strategic plans revisited, design costs capitalised for subsequent construction phases and budget availability. Aged WIP may be less likely to generate future economic benefits and are at greater risk of write-off.
RecommendationUniversities should clearly document the requirements for business cases and post-completion reviews for capital projects. These should consider the long-term strategic objectives of the university to minimise the risk of wastage of public resources. |
Asset utilisation
Universities control $15.3 billion in land and buildings. These assets are used for teaching and research, leased out for commercial purposes, used as student accommodation or used to support universities’ service delivery.
Four universities do not track building utilisation rates using a clearly defined process
Three universities do not have a documented policy that specifically covers how they manage and monitor utilisation of buildings or physical spaces. Understanding how physical infrastructure assets are utilised, supported by relevant data, allows the university to more effectively plan the use of its resources through:
- optimising space usage and capacity
- cost efficiency from reduced overheads and maintenance
- supporting sustainability goals by minimising energy consumption and the need for additional construction works.
Four universities do not have a clearly defined process to calculate and monitor building utilisation rates. The other six universities use different methodologies to calculate building utilisation. Some of the universities monitor actual usage data from booked hours, access card logs or sensors, while others treat a space as having been fully occupied if it was allocated for use.
Of the six universities that provided building utilisation data, utilisation rates for 2024 ranged from four per cent to 99% occupancy. The university that reported a four per cent utilisation rate assumes that teaching spaces are available for use for 24 hours a day.
Without accurate and relevant building utilisation rates, there is a risk that universities are engaging in unnecessary capital works which are costly and disruptive. Alternatively, underutilised spaces could result in foregone revenue.
Universities also allocate building space for short- and long-term leases to external entities. In 2024, universities collectively earnt $53.3 million in rental revenue from leasing building spaces. Out of this total amount, three metropolitan universities received $39 million.
Student accommodation occupancy is lower in regional universities
Collectively, the universities reported $192 million in revenue from student accommodation, up from $182 million in 2023.
The average occupancy rate was 83% in both 2024 and 2023. Four universities reported occupancy rates below the average, ranging from 46% to 75%. These universities are mainly located in regional NSW. The other six universities reported occupancy rates from 93% to 100%.
Higher vacancy rates may indicate that universities are not maximising the use of student accommodation assets. The four universities with lower vacancy rates advised demand can fluctuate based on course completion, deferral or withdrawals during the year. There may also be impacts from subjects being transferred online.
Intellectual property
In 2023, universities received $1.8 billion in funding to conduct research and development. Research funding sources include Australian or international governments, private for-profit and not-for-profit organisations and individual benefactors.
Research outcomes may produce intellectual property (IP). Universities may commercialise these research outcomes, where appropriate, if the grant provider does not own the IP.
Five universities do not have established process to track the intellectual property they own
Universities reported holding IP, including patents, copyrights, trademarks and licences. Collectively, nine universities recognised $4.8 million in revenue from IP.
Five universities do not maintain centralised registers that track the IP that is owned by them. This increases the risk that all IP is not identified and valued, and not included in universities’ financial statements. Furthermore, the lack of central oversight may result in universities not receiving the benefits of commercialisation of research outcomes.
Three universities recognised IP assets to the value of $4.2 million in their financial statements, and they recognised these assets at their cost less accumulated amortisation. The remaining universities have not recognised IP assets in the financial statements.
4.3. Controlled entities
The number of university-controlled entities decreased
Three university-controlled entities were closed (one each for University of New South Wales, University of Technology Sydney and University of Wollongong) and one entity ceased to be a controlled entity of Macquarie University, which decreased the total number of its controlled entities from 78 to 74 in 2024. Controlled entities, whether based in Australia or overseas, experienced an overall improvement in operating result.
Of the 74 controlled entities, 12 were non-operating at 31 December 2024 (12 in 2023), including corporate trustees that do not trade and entities that have ceased to operate due to business rationalisation. Twenty-four controlled entities reported losses in 2024 (17 in 2023).
Of the 51 controlled entities that prepared 31 December 2024 financial statements, 48 were able to demonstrate that they were going concerns, that is, they are able to operate for the next 12 months and meet their financial obligations. Thirty controlled entities required letters of financial support from their parent in 2024 (29 in 2023).
A greater number of controlled entities is associated with a heightened risk of compliance issues. As previously recommended in the Auditor-General’s Universities 2018 audits report to Parliament, universities should continue to ensure they have appropriate governance arrangements to oversee the legal and policy compliance functions of their controlled entities, particularly those operating overseas.
The table below details the number of controlled entities.
| University at 31 December 2024 | Total number of controlled entities | Number of non-operating entities | Number of overseas controlled entities |
| Charles Sturt University | 2 | -- | -- |
| Macquarie University | 13 | 8 | 1 |
| Southern Cross University | 2 | -- | -- |
| University of New England | 5 | 1 | -- |
| University of New South Wales | 15 | 1 | 6 |
| University of Newcastle | 4 | -- | 1 |
| The University of Sydney | 5 | -- | 2 |
| University of Technology Sydney | 9 | -- | 5 |
| University of Wollongong | 12 | 1 | 7 |
| Western Sydney University | 7 | 1 | 1 |
| Total | 74 | 12 | 23 |
Source: University and controlled entities’ financial statements (audited).
5. Internal controls and governance
Governance is the framework of rules, processes and systems that enable organisations to achieve goals and comply with legal requirements. Good governance promotes public confidence in the integrity and effectiveness of universities’ systems and operations. A strong system of internal controls enables universities to operate effectively and efficiently, produce reliable financial reports, comply with laws and regulations, and support ethical and transparent decision-making.
This chapter outlines our findings on internal controls and governance across the ten NSW universities.
Financial audits focus on the key internal controls and governance that support the preparation of financial statements. Breakdowns and weaknesses in internal controls can increase the risk of fraud and error. Our management letters report deficiencies in internal controls, matters of governance interest and unresolved issues to those charged with governance. These letters also include risk ratings, implications, recommendations and management responses.
Chapter highlights
|
5.1. Key audit findings
The number of findings reported to management has decreased by 12%
In 2024, there were 98 audit findings identified across the ten NSW universities (111 in 2023). The graph below shows the breakdown of 31 December 2024 audit findings by key themes and risk.
Source: Audit Office analysis.
We identified 38 repeat findings in 2024
Repeat findings comprised 39% of all issues reported to those charged with governance (29% in 2023). Repeat findings arise when the university has not implemented recommendations from previous audits. The most common repeat issues related to IT / cyber security, governance and payroll. The need for improvements to user access management and managing privileged user accounts was a repeat finding for five universities.
Universities have agreed to prepare implementation plans to address repeat issues. A delay in implementing audit recommendations increases the risk of intentional and accidental errors in processing information, producing management reports and generating financial statements. This can impair decision-making, impact service delivery and expose universities to fraud, financial loss and reputational damage. Poor controls may also mean staff may be less likely to follow internal policies.
Common findings
IT / cyber security, governance and payroll control matters continue to dominate audit findings. Specifically, common findings reported in audit management letters include deficiencies in:
- user access management and review, including for privileged user accounts
- cyber security practices (refer to chapter 7)
- wages underpayment (refer to chapter 3.3 earlier in this report)
- revenue-processing practices and revenue recognition
- use of purchase orders
- outdated policies and procedures
- fair value assessments of property, plant and equipment (PPE).
There were 35 findings of control deficiencies in information technology / cyber security, including one high-risk finding
Eight universities had deficiencies in their IT / cyber security controls.
One high-risk finding related to a lack of monitoring of privileged user activities over multiple information systems. This was a repeat matter that was initially raised in 2018. The university subsequently addressed this matter by 31 December 2024.
Seven universities had deficiencies in managing user access to key systems
Deficiencies in managing and reviewing user access to key information systems, including for privileged user accounts, comprised over half of the IT / cyber security findings. These user access deficiencies continue to apply to seven universities.
Robust access management processes include:
- ensuring only approved new users can gain access to systems
- periodic review of functions granted to each user to ensure access levels reflect any changes to a user’s role requirements
- timely removal of user profiles that no longer require access
- setting up separate accounts for each user requiring privileged access that is:
- separate to their standard account
- not shared with other users
- maintaining audit logs of privileged user activities, and implementing independent periodic reviews of audit logs.
Poor user access management increases the risk of inappropriate access to information systems. This increases the risk of unauthorised transactions, or theft of sensitive information.
Six universities can improve their revenue-processing practices and revenue recognition
Universities generate revenue from various sources, including course fees, research and grant revenue, and fees and charges for other services such as accommodation. The Australian Accounting Standards (AAS) set out specific criteria that universities must meet to recognise revenue.
Four universities did not have adequate controls in place to ensure all revenue is recognised in accordance with AAS. This may distort financial results and include:
- errors in the timing of revenue recognition
- amounts that required refunds, reported as deferred revenue for an extended period of time.
Two universities did not consistently document approval and review of updated rates charged to customers. This may result in errors in fees charged to students or other customers.
Three universities approve purchase orders after receipt of goods or services
Purchase orders were approved after receipt of goods or services at three universities. Purchase orders should be generated and approved by delegated authorities before staff order goods or services to reduce the risk of unauthorised or fraudulent transactions.
Key governance, financial or IT policies and procedures were outdated or not in place at six universities
Six universities did not formalise and/or regularly review all key governance, financial, or IT policies and procedures. Regular review ensures emerging risks are considered and policies are reflective of changes to the business environment. Lack of formal policies and procedures may result in inconsistent and inappropriate practices, and an increased risk of:
- inefficient or ineffective governance practices
- errors in financial reporting
- inappropriate access to key systems.
Four universities need to improve processes over fair value assessments for property, plant and equipment
PPE comprises a significant proportion of universities’ assets. Most universities choose to present PPE at fair value in the financial statements. Assessing the fair value of PPE is complex as it involves applying judgements and assumptions. Small changes in these factors can have a significant impact on asset values. Therefore, robust controls and reviews are vital to ensure PPE is appropriately valued in the financial statements.
Deficiencies in four universities’ procedures over fair value assessments of PPE included:
- applying outdated indices to calculate movements in fair value
- incorrectly valuing an asset held for sale
- not completing a comprehensive revaluation of all asset classes with sufficient regularity
- insufficient documentation of the valuation process, including documentation of the valuation methodology, key judgements and assumptions, and sufficient evidence of management’s involvement in the valuation process when an external valuer is engaged.
6. Enrolments and teaching outcomes
Universities’ primary objectives are teaching and research. They invest most of their resources to achieve quality outcomes in academia and student experience. Universities have committed to achieving certain government targets and compete to advance their reputation and standing in international and Australian rankings.
This chapter outlines enrolments and teaching outcomes for NSW universities in 2024.
Chapter highlights
|
6.1. Student enrolments
2024 enrolments exceeded pre-COVID-19 enrolments for the first time
Overall enrolments increased by 24,212 equivalent full-time study load (EFTSL) students in 2024 from 285,680 EFTSL students to 309,892 EFTSL students. This is a significant increase when compared to the 4,162 EFTSL increase from 2022 to 2023.
Total enrolments in 2024 exceeded the 2019 enrolments of 299,699 EFTSL students, mainly due to an increase in overseas student enrolments. The factors contributing to the growth in overseas student revenue and enrolments are discussed in chapter 4.1 Financial results.
The graph below shows the movement and composition of combined student enrolments over time.
Note: EFTSL for 2021, 2022 and 2023 have been restated based on updated numbers provided by universities.
Source: Student numbers are provided by universities (unaudited).
The impact of border closures in 2020 and 2021 is reflected in lower total enrolments in 2022 and 2023. As existing students graduated in 2022 and 2023, lower numbers of continuing students due to border closures in 2020 and 2021 adversely impacted the number of enrolments in those years.
The introduction of Ministerial Direction 111 ‘Order for considering and disposing of offshore Subclass 500 (Student) visa applications’ and its potential impact on overseas student enrolments and revenue is discussed in chapter 4.2 Financial sustainability.
Enrolments at universities increased in all fields of education in 2024, with the largest increase in IT, Engineering and Related Technologies
The largest increases in student enrolments at NSW universities in 2024 were in:
- IT, Engineering and Related Technologies courses, with 7,611 more enrolments than in 2023 (15.5% increase)
- Management and Commerce courses, with 4,568 more enrolments than in 2023 (ten per cent increase)
- Education courses, with 3,018 more enrolments compared to 2023 (16.4% increase).
The graph below shows the movement in student enrolments by EFTSL by field of education between 2023 and 2024.
Source: Student numbers are provided by universities (unaudited).
The ‘Skills Priority List Key Findings Report 2023’ published by Jobs and Skills Australia identified a shortage in six ‘professionals’ group occupations’. Many of the occupations in these groups require higher education. The report identified the following occupational shortage rates:
- health professionals – 82%
- ICT professionals – 69%
- design, engineering, science and transport professionals – 54%
- education professionals – 47%.
Skills shortages may also result from a lack of skilled workers with post-qualification experience. Therefore, increased student enrolments in education fields experiencing skills shortages may not necessarily alleviate skills shortages in the short term.
Students from low socio-economic status (SES) backgrounds
Enrolment of students from low SES backgrounds remained steady in 2023
In 2009, the Australian Government set a target of 20% of university undergraduate enrolments for students from low SES backgrounds by 2020.
The 2023 results for NSW universities showed five universities achieved this target, with enrolments of students from low SES backgrounds representing more than 20% of domestic undergraduate students (five universities in 2022). The total percentage of domestic undergraduate students from low SES backgrounds remained steady at 15.8%, and remained below the 2020 target of 20%.
Reported enrolments of domestic undergraduate students from low SES backgrounds in 2023 for universities as a percentage of total domestic undergraduate students is shown in the graph below.
Source: Australian Department of Education, Student Data 2023, Section 11: Equity groups.
Enrolment statistics for 2024 are not expected to be available from the Australian Department of Education until late 2025.
Students from Aboriginal and Torres Strait Islander backgrounds
Enrolment of Aboriginal students increased as a percentage of total domestic student enrolments in 2023 – but this is not a real increase in numbers
In March 2017, all Australian universities committed to achieving growth rates for enrolments of Aboriginal students to exceed the growth rate of enrolments of other domestic students by at least 50%. In March 2022, Universities Australia published their ‘Indigenous Strategy 2022–25’, reflecting the sector’s continued commitment to improving completion rates of Aboriginal students.
The Australian Department of Education’s dataset, ‘2023 Section 11 – Equity groups’ showed six NSW universities achieved increased enrolments of Aboriginal students as a proportion of total domestic student enrolments (eight in 2022).
The following graph shows Aboriginal students as a percentage of total domestic students at each university. Overall, the proportion of Aboriginal students increased from 2.4% in 2022 to 2.5% in 2023.
Source: Australian Department of Education, Student Data 2023, Section 11: Equity groups.
Enrolments of Aboriginal students declined by 1.9% in 2023
The overall number of Aboriginal students decreased from 7,397 in 2022 to 7,256 in 2023 (1.9%). However, there was a greater decrease of 3.4% in the total number of domestic students enrolled from 303,950 in 2022 to 293,695 in 2023.
Enrolment statistics for 2024 are not expected to be available from the Australian Department of Education until late 2025.
6.2. Teaching outcomes
Ratio of students to academic staff
The ratio of students to teaching and learning staff provides a broad indication of potential constraints on the level of support available to students, the quality of the learning experience for students and the average teaching workload. A lower ratio means that there are fewer EFTSL onshore students per FTE academic staff.
Eight universities increased their student to academic staff ratio, and two universities’ ratio remained stable or decreased
The student to academic staff ratio for NSW universities from 2022 to 2024 is shown in the graph below.
Formula used to calculate the ratio: Total onshore students (EFTSL) divided by total academic staff (FTE).
Note: The figures used in the calculation relate to EFTSL and FTE at the parent university.
Source: Audit Office analysis based on data provided by universities (unaudited).
In 2024, the ratio ranged from 13.4 at The University of Sydney to 25.1 at Southern Cross University. University of New South Wales and The University of Sydney consistently maintained the lowest ratio across the three years analysed, although the ratio increased for both universities post 2022.
In 2024, the ratio increased for eight universities, remained stable for University of Newcastle and decreased for Charles Sturt University. The increase in the ratio across the sector reflects the 8.5% increase in student enrolments reported in chapter 6.1 above. This may indicate that universities are achieving greater economies of scale as student numbers increase, but it may also indicate the need to potentially recruit more academic staff to keep pace with increased student enrolments.
Modes of learning
Universities reported a decrease in courses delivered primarily face-to-face
Universities increased the proportion of courses delivered via hybrid methods and primarily online. On average, universities delivered:
- 23% of their courses primarily online (20% in 2023)
- 41% of their courses primarily face-to-face (52% in 2023)
- 36% of their courses both online and face-to-face (28% in 2023).
The decrease in courses delivered primarily face-to-face may alleviate pressures for universities with capacity constraints in teaching spaces, given the increase in enrolments in 2024. There may also be opportunities for universities to optimise existing teaching spaces to meet other strategic objectives.
7. Cyber security
This chapter focuses on the cyber security incident environment at universities, the reporting of incidents to regulators and how universities have responded to data breaches as a result of cyber security incidents. We also address how universities train their staff to identify and prevent cyber security incidents.
Chapter highlights
|
7.1. Background
Our audit focus on cyber security aims to provide insights into how universities respond to risks associated with cyber security through our financial audits across NSW universities.
Cyber security incidents reported in the education sector
The Australian Signals Directorate (ASD) advised in their Cyber Threat Report 2023–24 that there were over 87,400 cybercrime reports, with email compromise being the most common type of incident. The education and training sector accounts for five per cent of cyber security incidents and remains one of the most targeted sectors.
Figure 1: Top ten reporting sectors.
Source: ASD Annual Cyber Threat Report 2023–2024.
One NSW university was subject to numerous and pervasive cyber security attacks from 2023 to 2025; these resulted in data breaches that affected up to 10,000 individuals. These included breaches of personally identifiable information. The university had to contain the identified access and engaged experts and authorities to assist them. Learnings from the data breaches have been placed into an accelerated program of work to uplift the university’s cyber security capability and resilience. These learnings include enhancing security on accounts, password resets and additional monitoring, detection, and forensic tools and technology.
Regulatory requirements for cyber security
There have been recent state and federal legislative changes on cyber security. This includes the NSW Mandatory Notification of Data Breach Scheme (MNDB Scheme) in November 2023 and the federal Cyber Security Act 2024 in November 2024.
Universities may be subject to mandatory cyber incident reporting requirements under the Security of Critical Infrastructure Act 2018. The Australian Cyber Security Centre (ACSC) advises that incident reporting will depend on the nature and impact of the incident. Reporting of these incidents helps inform an issue or request assistance or advice from the ACSC.
When the cyber security incident results in a data breach of personal and health information that meets the criteria of the MNDB Scheme, a university is required to notify the Privacy Commissioner and the affected individual.
The impacts of these legislated requirements results in the reporting of fewer but more significant incidents. Both of these agencies regularly share their insights, such as in the ASD Cyber Threat Report 2023–24 reporting and the MNDB Scheme resources. Sharing of information also allows these regulators to provide advice, guidance and threat intelligence.
The federal Cyber Security Act 2024 came into effect in November 2024, and its supporting Cyber Security Rules were effective from May 2025. Both give security measures and rules on compliance and reporting, and advice on how to establish a Cyber Security Incident Review Board.
Common cyber security targets in universities include the personal and private information they hold and share, and intellectual property and research information from their engagements with industry, government and foreign affairs. These risks are heightened by the large number of users and devices that access systems across universities and their communities.
7.2. Cyber security incidents
The Australian Signals Directorate responded to over 1,100 cyber security incidents in 2023–24, which was similar to what was reported in the previous year. The ability to detect, contain and respond promptly and appropriately not only reduces the financial impact on operations but limits the impact.
Cyber security incidents faced by universities
Cyber security incidents are highly prevalent and have impacted seven out of ten universities
Cyber security incidents are prevalent, typically involving security breaches and the unauthorised acquisition of information.
The following graph illustrates the number of incidents identified by universities. The most common types of cyber security incidents include compromised user accounts, malware from emails or installed on vulnerable devices, data breaches and scams. The graph also shows that not all instances were reported to regulators or external agencies, a topic which will be discussed in greater detail below
Source: Audit Office analysis of universities.
Cyber security incidents may require reporting to regulators and external agencies when they have a critical or significant impact, are defined by regulations or if assistance is needed. Regulators and external agencies include the Australian Cyber Security Centre, the Department of Home Affairs, the NSW Information and Privacy Commissioner, the Australian Federal Police and the NSW Police Force.
Universities reported that the most prevalent and significant cyber security incidents to external agencies were related to:
- hacking (four universities)
- data breaches (four universities)
- user account compromises (three universities).
Three universities advised that no cyber security incidents required external reporting.
Recording of cyber security incidents and privacy breaches needs improvement
Universities do not consistently follow their own procedures for recording cyber incidents, data breaches and privacy data breaches. Our review and sampling of the universities’ procedures and practices found that:
- 1 university did not follow procedures when recording cyber incidents
- 3 universities did not follow procedures for recording details on their cyber security data breaches
- 3 universities did not follow procedures for recording privacy data breaches.
Seven universities followed their internal procedures for recording cyber incidents and data breaches.
The inadequate and inconsistent recording of cyber security incidents may limit analysis and learnings for future incident management, understating the number of incidents that occurred and hindering the correct analysis of an incident. It could also reduce the accuracy of the incident’s nature and significance, and undermine the accuracy and reliability of management reporting on cyber security incidents.
Universities monitored incident trends to help them focus on resourcing their cyber security efforts. All universities monitor metrics on their cyber security incidents, with five universities monitoring the number and type of incidents, and five universities formally reporting the cause of the incidents to senior management.
Universities advised that they used varied metrics in their reporting of incidents to management. However, the inconsistent measurements may not give management a clear picture of the nature, volume and significance of the cyber security incidents identified. This could lead to incorrect management decisions on cyber security planning, resourcing and incident management.
RecommendationUniversities should comply with their established processes when recording cyber security incidents and data breaches, and regularly provide senior management with relevant reports detailing significant cyber security issues and metrics. |
7.3. Cyber incident causes and their sources
Identifying the cause and source of a cyber security incident helps teams manage not only the live incident but the recovery and remediation of weaknesses. Investigating the cause of a cyber security incident includes identifying the attack methods used and how the attack occurred.
Nine universities advised they identify the causes of cyber security incidents. Five of these nine universities do not formally analyse and report the causes to management, but they report other metrics, such as the number and type of incidents.
There is a gap between management reporting of the causes of cyber security incidents and what their detailed analysis identifies. Cyber security teams advised that they did not report the causes to management because of shortcomings in analytical metrics and reporting capabilities.
They advised the following top three causes of cyber security incidents:
- emails with suspicious attachments (eight universities) – these emails comprised 67% of the top causes of cyber security incidents
- suspicious remote access and unauthorised access or attempts (seven universities)
- malicious activity (two universities) – this included intentionally harmful theft and unauthorised access and exposure of university information. One malicious activity related to the unauthorised exposure of sensitive university information by a staff member.
Cyber security incidents included internal threat sources
Identifying the source of cyber security incidents may help contain and prevent future incidents or similar types of incidents for other universities and businesses.
Universities identified the following sources of their cyber security incidents:
- external individuals (five universities)
- criminal organisations (three universities)
- internal users (three universities)
- students (two universities).
One university advised that identifying the source of their cyber security incidents was difficult and almost impossible.
7.4. Data breaches and mandatory notification
Data breaches have become commonplace. The ASD Cyber Threat Report 2023–24 states that the Australian Government had 1,012 data breach notifications in 2024 (a 13% increase), which accounted for 20% of cyber supply chain-related incidents. In NSW, the Information and Privacy Commissioner supports the legislative changes of the Privacy and Personal Information Protection Act 1998 and the Mandatory Notification of Data Breach Scheme (MNDB Scheme). The Information and Privacy Commissioner provided guidelines on what defines a mandatory notifiable data breach and compliance obligations required for the agency to manage the breach. The two tests that determine if a data breach is eligible under the MNDB Scheme are:
- There is unauthorised access to, or unauthorised disclosure of, personal information held by a public sector agency or there is a loss of personal information held by a public sector agency in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information.
- A reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates.
The classification of whether a data breach requires notification can be driven by factors such as the type of personal information breached (for example, financial, health, government-issued identity) and the harm it may cause (for example, identify theft, fraud, financial loss, emotional distress, harassment or violence).
Data breaches requiring mandatory notification
Data breaches that required mandatory notification were mainly on unauthorised access and disclosure, and were mainly caused by phishing attacks and human error
Six universities experienced data breaches that required mandatory notification under the MNDB Scheme. These included data breaches where it would be likely that serious harm to the individual would occur from the unauthorised disclosure or unauthorised access (six universities) and loss of personal information (four universities).
Three causes of mandatory notifiable data breaches were equally the most common, with three universities having each of the following causes:
- phishing attacks which led to compromised credentials
- human error
- other cyber incidents.
The Information and Privacy Commissioner’s Mandatory Notification of Data Breach Scheme Trends Report noted human error as the dominant cause of data breaches for all sectors (including state and local government) in October 2024. Universities reported that the cause of their data breaches was also significantly due to human error.
There were other data breaches that did not require disclosure under the MNDB Scheme. The universities advised that these data breaches did not pose serious harm to the individual, even though unauthorised access (eight universities) and unauthorised disclosure (five universities) occurred.
The top three causes of these data breaches were:
- human error (six universities)
- phishing attacks (four universities)
- brute force attacks (three universities), which were used to determine user account credentials and passwords.
Universities plan to resolve these data breaches by fixing system vulnerabilities (six universities) and improving the configurations or processes through their cyber security uplift program (five universities).
7.5. Cyber security training and awareness
Cyber security awareness training helps users identify and prevent cyber security incidents.
Cyber security training requirements not current at two universities
One of the universities last reviewed and updated its cyber security training requirements in 2020 but is planning to update its material in 2025. The other university last reviewed its training material in 2022. Given the fast-evolving nature of cyber threats it is unlikely that outdated cyber security training is effective. The remaining eight universities reviewed or revised their training and awareness requirements in 2024. Those that are updating their training are focusing on higher-risk personnel, updated phishing simulations and emerging risk trends.
Universities’ cyber security training completion rates are low and exclude training for students
All ten universities require staff to complete cyber security training when they begin their employment. None of the universities requires external users and students to complete cyber security training when they start. Two universities advised that they excluded students from cyber security training because either the focus of the training was higher-risk users such as staff and contractors, and this excluded students, or the cost of provisioning licences was deemed excessive. Two universities plan to reconsider providing some cyber security training to students in the future. Reluctance to provide cyber security training to students goes against recommendations made in 2020 by the Australian Government in Enhancing Cyber Security Across Australia’s University Sector and the delivery of training for cyber security basics for all Australian university students in 2022. The Australian Department of Education also provides free access to training for university students.
While one university does not monitor staff completion of cyber security training, it plans to establish reporting processes in 2025. The remaining nine universities have staff completion rates that range from 35% to 95%, with four below 60%. One university does not require annual refresher cyber security training.
Three universities do not provide tailored cyber security training to specialist or high-risk user groups (such as procurement, payroll, information technology, finance or senior management). Two of these have plans to develop tailored training, but one does not have any plans. This delay also goes against the previously mentioned recommendations.
Simulated phishing attacks are not used by three universities as part of their training although phishing is the most prevalent cyber security attack method
Owing to its prevalence as a cyber security attack method, simulated phishing attacks is one training area the industry has focused on.
Three universities did not perform simulated phishing attacks in 2024. Two of these are planning to begin simulated phishing activities, but one has decided not to engage in any such activities.
Staff that failed the phishing simulation were given feedback and actionable tasks. Six universities asked users to perform additional training, and five of these gave staff verbal or written feedback on how they should have responded.
Universities use simulated phishing attacks more commonly than local councils but less commonly than state sector agencies. Regular use of simulated phishing attacks in universities (70%) exceeds the use rate in the local government sector (55%), but it is lower than in the largest state sector agencies (96%). NSW State sector agencies are required to perform simulated phishing attacks to comply with the NSW Cyber Security Policy, which is not mandatory for universities or local government, but recommended for adoption as a strong cyber security practice.
RecommendationUniversities should:
|
8. Use of artificial intelligence
The Australian Government identifies that artificial intelligence (AI) presents great opportunities for all levels of government to transform service delivery and enhance productivity and wellbeing. However, AI comes with risks that require active management.
This chapter offers an overview of AI adoption in universities and the current policies in place to oversee the use of AI.
While there is no one common definition of AI, the NSW Government’s ‘Artificial Intelligence Ethics Policy’ adopts the following definition:
| intelligent technology, programs and the use of advanced computing algorithms that can augment decision-making by identifying meaningful patterns in data. |
The Australian and NSW Governments have established policies and principles for responsible and ethical use of AI. While NSW universities are not bound by these documents, they are considered best practice. This includes:
- the Australian Government’s ‘Policy for the responsible use of AI in government’, ‘Australia’s AI Ethics Principles’ and ‘National framework for the assurance of artificial intelligence in government’
- the NSW Government’s ‘Artificial Intelligence Ethics Policy’ and ‘NSW artificial intelligence assessment framework’.
Chapter highlights
|
8.1. Adoption of AI
Some universities lack oversight of the AI they have implemented
Our survey found that six universities have identified and documented all AI tools implemented, but four do not have a complete understanding of what has been implemented.
A centralised inventory of AI tools in use is important for an entity’s transparency, oversight and accountability. Without such oversight, universities cannot assure themselves that they have fit-for-purpose governance arrangements in place to oversee the use of AI.
The ‘National framework for the assurance of artificial intelligence in government’ specifically identifies that:
| Governments should ensure their use of AI is disclosed to users or people who may be impacted by it. Governments should maintain a register of when it uses AI, its purpose, intended uses, and limitations. |
None of the universities that had identified and documented their AI tools had documented all of the facets. There are clear opportunities for universities to identify what AI is in use, and to ensure that key information about that use is captured.
Use of AI varies widely across universities
The number of AI tools implemented by universities varies widely. Among universities that have knowledge of the AI tools being implemented, one reported utilising up to 60 AI tools, including those in the pilot phase, while others reported having as few as five. A large portion of these products is procured from external vendors.
Among the universities with an understanding of the AI tools implemented within their institutions, these products cover a wide range of applications. Our survey noted that universities are using AI for various purposes, including but not limited to:
- research and consulting, including AI tools for personalised learning, transcription, thematic analysis, research and coding assistance
- education and teaching, including AI tools for learning and development support, image and text generation, video production and coding assistance
- student support services, including chatbots for answering student inquiries, survey and satisfaction analysis, churn prediction and automated scheduling
- operational and administrative activities, including AI tools for productivity enhancement, scheduling, code management and IT support enquiries.
8.2. Policies for responsible use of AI
Good governance and assurance arrangements support the effective delivery of ethical and lawful AI. There is no one-size-fits-all governance model. The ‘National framework for the assurance of artificial intelligence in government’ outlines that governance structures should be proportionate and adaptable to encourage innovation while maintaining ethical standards and protecting public interests.
As public education providers, universities also face unique challenges with the proliferation of AI, and in particular generative AI. This includes risks associated with maintaining academic integrity and standards.
Some universities have not adopted an AI policy
Three universities have yet to establish formal AI policies or embed the consideration of AI into existing policies. One of these reported that its policy was under development at the time of our review. The universities that have implemented an AI policy generally align with the Australian AI Ethics Principles.
These policies address various important issues, including fairness, transparency, accountability, data privacy, security, ethical use and intellectual property rights.
Universities can better integrate AI into their governance and risk management frameworks
The increasing utilisation of AI necessitates that universities review and update their existing governance arrangements to ensure they remain appropriate. While we did not complete a full review of university governance over the use of AI, we looked at the following key areas to understand whether the specific and unique risks posed by AI had been considered.
| Facet | Details |
| Accountability – Responsible owner identified for AI adoption and use | Only four universities have an overall owner responsible for AI adoption and use. Two universities reported that the role was under consideration at the time of our review. While exact responsibilities may differ, generally, an overall owner would be responsible for overseeing the deployment, ethical use and maintenance of AI tools, as well as ensuring that they align with the university’s objectives and legal and regulatory standards. |
| AI product testing guidance in place | Only four universities provide guidance on pre- and post-implementation product testing. One university reported that this was under consideration at the time of our review. Enhanced pre- and post-implementation testing protocols are crucial to identify and mitigate potential risks associated with AI systems, including risks associated with introducing unintended biases and vulnerabilities. Implementing rigorous testing procedures, both before and after deployment, would ensure that AI tools perform as intended and support the ongoing ethical use of AI. |
| Data governance model reviewed to support increased adoption of AI | Six universities have assessed if their data governance is mature enough to support the use of AI. All have an uplift program in place to address any limitations arising from the review. The ‘National framework for the assurance of artificial intelligence in government’ notes that the quality of an AI model’s output is driven by the quality of its data. Therefore, robust data governance frameworks are essential for ensuring the quality, integrity and security of data used by AI tools. |
| Procurement guidance reviewed and updated for the unique risks AI poses | Only four universities have revised their procurement guidance for additional considerations when procuring AI tools, despite the prevalence of procured AI solutions noted above. One university reported that this was under consideration at the time of our review. The ‘National framework for the assurance of artificial intelligence in government’ specifically outlines that careful consideration must be applied to procurement documentation and contractual arrangements. This includes consideration of:
Given the prevalence of procured AI solutions, universities may need to develop specific procurement guidelines tailored to AI tools. |
It is important that universities assess the broader impacts of AI on their governance arrangements. While we have not comprehensively considered these areas in our review, they include, for example:
- broader organisational and accountability structures
- risk management policies and procedures
- IT policies and procedures
- staff capability and training
- monitoring and reporting systems, including reporting to senior management and those charged with governance
- assurance frameworks to support ethical implementation of AI – the NSW Government has developed the NSW Artificial Intelligence Assessment Framework and materials to assist agencies with this.
Most universities have developed guidance for student use of AI
Most universities recognise the need to provide guidance to students on ethical and responsible use of AI tools, with nine universities having guidance in place. Common approaches to guidance include:
- providing online resources and workshops on academic integrity in the age of AI
- developing specific guidelines on the appropriate use of generative AI tools in assignments
- offering training on critical evaluation of AI-generated content.
In June 2024, the Tertiary Education and Quality Standards Agency (TEQSA) issued a request for information to all Australian higher education providers. This request asked for a credible institutional action plan addressing the risk generative AI poses to award integrity. As a first response, TEQSA developed the Gen AI strategies for Australian higher education: Emerging practice toolkit to support universities.
8.3. Strategic use of AI
Most universities lack a strategy to help maximise the benefits of AI
Eight universities recognise AI’s strategic impact and list it as a strategic risk, but only four have a strategy for AI or have embedded this into an existing strategy.
The absence of a unified strategy for the adoption of AI could significantly hinder universities from fully leveraging the potential benefits that AI offers. Without a clear and cohesive strategy, universities may struggle to coordinate their AI initiatives, leading to fragmented efforts that lack synergy. This disjointed approach can result in inefficient use of resources, as different departments might implement AI solutions independently without aligning them with the university’s overall objectives. Consequently, universities may not be able to achieve the full spectrum of AI-driven enhancements in areas such as research, teaching and administrative operations. By developing a comprehensive AI roadmap, universities can ensure that their AI initiatives are well-coordinated, strategically aligned and capable of delivering maximum value across the institution.
RecommendationUniversities should:
|
Appendices
Appendix 1 - Status of 2023 recommendations
Appendix 2 - Universities' controlled entities
Copyright notice
© Copyright reserved by the Audit Office of New South Wales. All rights reserved. No part of this publication may be reproduced without prior consent of the Audit Office of New South Wales. The Audit Office does not accept responsibility for loss or damage suffered by any person acting on or refraining from action as a result of any of this material.