IT security governance still lacking for many NSW agencies: report

The NSW Auditor-General has released a report that finds significant deficiencies in IT controls and cybersecurity practices remain across major NSW government agencies.

The report, Internal controls and governance 2025: Procurement and technology, examined 26 of NSW's largest public sector agencies. All five high-risk findings identified in the audit related to ineffective IT controls, including those designed to prevent cybersecurity incidents.

Audit findings on internal controls and governance were reported across all 26 agencies. While the total number of findings decreased in 2024–25 compared to the 2023–24 interim audits, repeat findings rose and now account for 33% of all reported issues. The report states that five high-risk findings were reported, all related to ineffective IT controls, including those designed to prevent cybersecurity incidents, and approximately half of all findings involved IT controls over key financial systems.

The audit report also found that agency procurement practices show deficiencies in policy alignment, capability, and oversight. Many do not fully incorporate mandatory requirements of the NSW Procurement Policy Framework, and procurement training is either lacking or not mandatory. Around half lack formal policies for best and final offer processes, and supplier relationship management is inconsistently applied, limiting value-for-money assurance.

While all agencies have conflict of interest policies, some are outdated and lack mechanisms for managing complaints, with over half failing to review centralised registers before awarding contracts.

The report also found that agencies could better integrate AI into their existing governance and strategy arrangements. Fewer than half have formal AI policies or have embedded AI into existing frameworks to guide responsible use. Only a quarter have developed strategies to maximise AI’s benefits, and AI is not yet widely used as a strategic or operational tool across the sector.

Control deficiencies also make agencies vulnerable to supply chain cybersecurity threats and reduce investment effectiveness. Three agencies lack formal policies addressing supply chain cyber risks, and eight do not have strategies to maintain complete IT asset registers, limiting visibility of systems. Weak third-party oversight was observed, including unclear contractual roles and limited post-termination planning. Additionally, not all agencies conduct cost–benefit analyses or align cybersecurity spending with threat landscapes, and only seven actively manage underutilised or outdated cybersecurity tools.

The report recommends that agencies strengthen controls and processes across the three key areas of procurement frameworks, adoption of artificial intelligence, and cyber security controls.

The full report can be found here.

Image credit: iStock.com/putilich