In a break with normal practice, the Auditor-General has published a financial audit on the internal controls and governance of the 25 largest Agencies in the NSW Public Sector for the 2020-21 financial year, ahead of the annual Report on State Finances.
In her Report, Internal controls and governance 2021, Auditor-General, Margaret Crawford said her Office’s preferred approach was to table the Report on State Finances before any other cluster report, however, that Report had been delayed due to significant accounting issues being considered in the Total State Sector Accounts.
Ms Crawford said there were no matters in her Internal controls and governance 2021 Report that impacted the Total State Sector Accounts, so there was no need to delay its release.
She said her Report found the proportion of control deficiencies identified as high risk increased to 2.8 per cent from 2.5 per cent in 2019-20, with repeat findings of control deficiencies now representing 49 per cent of all findings, up from 42 per cent.
“We continue to see a high number of deficiencies relating to IT general controls, particularly around user access administration and privileged user access, which affected 82 per cent of Agencies,” Ms Crawford said.
“Agencies’ self-assessed maturity levels against the NSW Cyber Security Policy (CSP) mandatory requirements are low,” she said.
“Although Agencies are required to demonstrate continuous improvement against the CSP, 20 per cent have not set target levels and of those that have set target levels, 40 per cent have not met their target levels.”
Ms Crawford said policies, processes and definitions around security incidents and data breaches lacked consistency.
The Auditor-General said that while Agencies’ conflicts of interest policies generally met the minimum requirements set out in the Government Sector Employment Act 2013, few met the Independent Commission Against Corruption’s best practice guidelines.
“Policies governing the management of supplier masterfiles and employee masterfiles existed in 79 per cent and 54 per cent of Agencies respectively,” she said.
“Weaknesses were identified in those policies.
“Access restriction, segregation of duties and record keeping were the most common opportunities for improvement.”
Ms Crawford made three recommendations to Agencies to prioritise actions to address repeat control deficiencies; prioritise improvements to cyber security and resilience as a matter of urgency; and formalise policies on monitoring the progress of implementing recommendations from performance audits and public inquiries.
The Auditor-General’s 61-page Report can be accessed at this PS News link.
