Report highlights: Internal controls and governance 2022

What the report is about

This report analyses the internal controls and governance of the 25 largest agencies in the NSW public sector, excluding state-owned corporations and public financial corporations, for the year ended 30 June 2022.

What we found

Internal control trends

The proportion of control deficiencies identified as high-risk this year increased to 8.2% (5.9% in 2020–21). Sixteen of the 23 high-risk findings related to financial controls while seven related to IT controls.

Repeat findings of control deficiencies now represent 48% of all findings (47% in 2020–21).

Information technology

There continues to be a high number of deficiencies relating to IT general controls, particularly around user access reviews, which affected 56% of agencies.

Cyber security

Agencies' self-assessed maturity levels against the NSW Cyber Security Policy mandatory requirements are lower than target levels. Overall, maturity levels against the Australian Cyber Security Centre's Essential Eight controls have not improved since last year.

Management of cyber risks relating to third party IT service providers should be improved. IT service providers may pose risks to the agency if the provider's cyber security controls have weaknesses.

Consultants and contractors

Agencies risk over-reliance on the same consultants and contractors. A quarter of agencies have re-engaged the same contractor over the past five years.

Employment screening Twenty-four per cent of agencies have not complied with the employment screening requirements of the Government Sector Employment Act 2013 with regard to citizenship or residency. Screening and induction practices for non-permanent workers are often less stringent than for permanent employees. This can pose increased risks to an entity of not detecting applicants with false credentials or a history of corrupt conduct.

Contract management

Half of all agencies' procurement contract registers are incomplete, which is non-compliant with the Government Information (Public Access) Act 2009.

What we recommended

Agencies should:

  • prioritise actions to address repeat control deficiencies
  • prioritise improvements to their cyber security and resilience
  • reinforce mandatory cyber training to all staff and improve completion rates
  • ensure that contractor engagements that have been renewed over multiple years are periodically reassessed against the market.

Fast facts

The 25 largest NSW government agencies in this report cover all ten clusters and represent over 95% of total expenditure for the NSW public sector. 

  • 23 high-risk findings identified
  • 20% of agencies have not defined how they manage cyber risks relating to IT service providers
  • $1.2b in combined contractor fees for the 25 agencies in 2022
  • 48% of all internal control deficiencies identified in 2021–22 were repeat findings
  • $127m in combined consultant fees for the 25 agencies in 2022
  • 42% of agencies conduct credential checks for all appointments

Further information 

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.