Strengthening Internal Controls and Cybersecurity in NSW Public Sector
Trends in Internal Controls and Information Technology Management
Decline in High-Risk Control Deficiencies: Highlighting the Year-over-Year Improvements
Published on December 20, 2023, the Audit Office of New South Wales released a significant report concerning internal controls and governance. The annual review Internal Controls and Governance 2023 covered the largest 25 agencies within the NSW public sector, revealing key trends and deficiencies in their control environments.
Internal Control Trends
- Reduction in High-Risk Deficiencies: This year, the proportion of control deficiencies identified as high-risk decreased to 4.5%, down from 8.2% in 2022.
- Repeat Findings: Repeat findings of control deficiencies represent 38% of all findings, showing a decrease from 48% in the previous year.
Information Technology Deficiencies
- User Access Management: Over half of the agencies reviewed have significant deficiencies in managing user access to their information systems.
- Privileged User Accounts: More than one-third of agencies had deficiencies in their controls over privileged user accounts within their information technology environments.
These findings underscore the critical need for ongoing improvements in internal control mechanisms and IT security practices within NSW public sector agencies.
Cybersecurity Challenges and Governance Frameworks
The report also highlighted substantial challenges in cybersecurity and governance that need immediate attention to safeguard sensitive data and maintain public trust.
Cybersecurity Maturity
- Compliance with NSW Cyber Security Policy: Over 80% of assessments for maturity levels against the NSW Cyber Security Policy reported that one or more self-assessed Mandatory Requirements are not practised consistently and regularly.
- Essential Eight Cyber Controls: There has been no improvement in the implementation of the Essential Eight cyber controls, signalling a critical area that requires urgent enhancement.
Governance and Risk Management
- Governance Framework Deficiencies: Notable deficiencies were found in agencies’ governance and risk management frameworks, including outdated risk management policies, a lack of risk appetite statements, and internal audit functions that have not been externally evaluated.
Third-Party Security Enhancements
- Mandatory Security Clauses in Contracts: According to the latest Third Party Security Policy by the Audit Office of NSW, it is now mandatory for all new contracts with third parties to include agreed mitigations identified during the assessment process. These mitigations must be clearly defined and incorporated into contracts as specific clauses.
This comprehensive report from the Audit Office of NSW underscores a pivotal moment for NSW public sector agencies, urging them to adopt stronger cybersecurity measures and robust governance frameworks to mitigate risks and enhance overall security posture.
By aligning internal governance with enhanced cybersecurity measures and detailed contractual requirements with third parties, NSW agencies can better secure their digital environments and uphold their commitment to governance excellence.
Source: https://www.audit.nsw.gov.au/our-work/reports/internal-controls-and-governance-2023