Report highlights: Internal controls and governance 2021
What the report is about
This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state owned corporations and public financial corporations, for the year ended 30 June 2021.
What we found
Internal control trends
The proportion of control deficiencies identified as high risk this year increased to 2.8 per cent (2.5 per cent in 2019–20). Six high risk findings related to financial controls while three related to IT controls. Two were repeat findings from the previous year.
Repeat findings of control deficiencies now represent 49 per cent of all findings (42 per cent in 2019–20).
We continue to see a high number of deficiencies relating to IT general controls, particularly around user access administration and privileged user access which affected 82 per cent of agencies.
Agencies' self-assessed maturity levels against the NSW Cyber Security Policy (CSP) mandatory requirements are low. Although agencies are required to demonstrate continuous improvement against the CSP, 20 per cent have not set target levels and of those that have set target levels, 40 per cent have not met their target levels.
Policies, processes and definition around security incidents and data breaches lack consistency. Improvement is required to ensure breaches are recorded in registers and action taken to address the root cause of incidents.
Conflicts of interest
Agencies' policies generally meet the minimum requirements of the Ethical Framework set out in the Government Sector Employment Act 2013. However, few meet the Independent Commission Against Corruption's best practice guidelines. Policies could be strengthened in relation to requirements around annual declarations of interests from employees and contractors.
Policies governing the management of supplier masterfiles and employee masterfiles existed in 79 per cent and 54 per cent of agencies respectively.
Weaknesses were identified in those policies. Access restriction, segregation of duties and record keeping were the most common opportunities for improvement.
Most agencies do not maintain a register to monitor recommendations from performance audits and public inquiries. Registers of recommendations could be improved to include risk ratings and record revisions to due dates. While recommendations can take several years to fully address, the oldest open items were originally due for completion by June 2016.
What we recommended
- prioritise actions to address repeat control deficiencies, particularly those that have been repeated findings for a number of years
- prioritise improvements to their cyber security and resilience as a matter of urgency
- formalise and implement policies on tracking and monitoring the progress of implementing recommendations from performance audits and public inquiries.
The 25 largest NSW government agencies in this report cover all nine clusters and represent over 95 per cent of total expenditure for NSW public sector.
- 9 high risk audit findings were identified this year
- 40% of agencies have not formally accepted residual cyber risk based on their self-assessed maturity levels
- 52% of agencies do not have a policy on tracking recommendations from performance audits and public inquiries
- 50% of all internal control deficiencies identified in 2020–21 were repeat findings
- 75% is the average completion rate of annual staff declarations of interests.
Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.