A NSW Auditor-General's report has revealed significant deficiencies in IT controls and cyber security practices across major NSW government agencies, with nearly half of all audit findings related to information technology weaknesses.

The report, "Internal controls and governance 2025: Procurement and technology”, examined 26 of NSW's largest public sector agencies representing 95% of the state government's $A30B plus annual budgeted expenditure.

All five high-risk findings identified in the audit related to ineffective IT controls, including those designed to prevent cyber security incidents.

In one alarming case, an agency experienced a cyber attack where the threat actor remained undetected in a key financial system for approximately a month due to inadequate monitoring controls.

The same agency was running unsupported operating systems on servers hosting "crown jewel" applications without formal risk assessment or remediation plans, and lacked basic security protections like multi-factor authentication.

Another case study revealed a payroll officer who modified their own employee master file record due to insufficient segregation of duties, with payments going undetected because they fell below monetary detection thresholds.

"Three agencies lack formal policies addressing supply chain cyber risks, and eight do not have strategies to maintain complete IT asset registers, limiting visibility of systems," the report stated.

The audit uncovered that seven agencies failed to identify and manage underutilised or outdated cyber security tools, potentially wasting resources and leaving security gaps.

Vendor Management and Conflict of Interest Issues

One agency discovered 15 employees held roles as directors in external entities that had financial dealings with the agency, yet none had submitted conflict of interest declarations regarding these relationships.

In another case, an agency improperly updated vendor details based on a fraudulent request, bypassing verification protocols and nearly resulting in payments to fraudulent bank accounts.

"More than half of all agencies do not formally review centralised conflict of interest registers before awarding procurement contracts," the report found.

The report highlighted artificial intelligence as an emerging concern, noting that fewer than half of the agencies examined had implemented formal AI policies despite widespread adoption.

"Only a quarter of agencies have developed strategies to maximise AI's benefits, and AI has not yet been integrated as a strategic or operational tool across the sector," the report found.

Auditor-General Bola Oyetunji recommended agencies enhance procurement frameworks, improve cyber security controls, and establish better AI governance by June 2026.

The report found that access control issues were pervasive, with four agencies granting system access without proper approval and five delaying access deactivation for terminated users.