NSW public sector controls are improving, but cyber governance gaps remain visible
The Audit Office of New South Wales reviewed internal controls and governance across the largest 25 NSW public sector agencies. High-risk control deficiencies declined year over year, but recurring findings in user access, privileged accounts, Essential Eight implementation, governance frameworks, and third-party contract controls show why continuous assurance still matters.
Persistent weaknesses sit where access, maturity, governance, and third parties meet
User access management
More than half of reviewed agencies had significant deficiencies in managing user access to information systems.
Privileged accounts
More than one-third of agencies had deficiencies in controls over privileged user accounts within IT environments.
Essential Eight maturity
The report found no improvement in Essential Eight cyber control implementation, making it an urgent focus area.
Third-party clauses
New third-party contracts must include agreed mitigations from assessment processes as specific contractual clauses.
Ikara connects control findings to live accountability and evidence
Monitor access controls
Track user and privileged account controls as operational obligations, not static audit findings.
Measure Essential Eight posture
Continuously assess maturity against required cyber controls and expose gaps that need remediation.
Report current-state evidence
Give leaders real-time assurance evidence across agencies, systems, controls, and service dependencies.
Map governance obligations
Connect risk management policies, risk appetite, internal audit expectations, and control ownership into a clear view.
Embed contract mitigations
Turn third-party assessment mitigations into trackable clauses and service obligations.
Escalate control drift
Alert teams when mandatory requirements, controls, or supplier obligations are not practised consistently.
Audit improvement needs to become continuous operational discipline
The decline in high-risk findings is encouraging, but repeat deficiencies, inconsistent mandatory cyber practices, and third-party security requirements mean agencies need ongoing visibility rather than periodic review cycles.
Reduced high-risk deficiencies
High-risk control deficiencies fell to 4.5 percent, down from 8.2 percent in 2022.
Repeat findings still matter
Repeat control deficiencies still represented 38 percent of all findings, showing the need for sustained remediation.
Cyber maturity needs proof
Mandatory requirements and Essential Eight controls need evidence that they are practised consistently and regularly.
NSW agencies need continuous assurance across internal controls, cyber maturity, and supplier obligations
Ikara helps public sector organisations move from audit-point findings to live control evidence, giving teams a clearer view of access risks, Essential Eight maturity, governance obligations, and third-party security commitments.
Sources and further reading
Make control assurance continuous.
See how Ikara can turn audit findings into live evidence and accountable action.
Book a demo →