Text size: A A A

Unis need better risk management, infosec and to stop playing politics

New South Wales universities need to continue improving their risk management frameworks — and for three, the reputational risk of being seen to support one side of politics must be eliminated, according to the state’s auditor-general.

Grant Hehir
Grant Hehir

Risk management frameworks are still maturing in the 10 NSW universities according to a recent report from the office of Grant Hehir, who is soon to take over from Ian McPhee as national Auditor-General. The report sketches out what a good risk management framework looks like:

“In the university with the most mature risk management framework, risk awareness is evident at each business level. Executive management uses a top-down approach to communicate strategic risks. Risk owners, at the operational levels, conduct risk management workshops to identify key risks and promptly escalate issues to management.”

However the university at the other end of the spectrum has not developed the appropriate culture where risk management is integral to all daily operations and consistently applied across every part of the organisation, Hehir reports:

“Most universities have started to embed a risk awareness culture, but this is inconsistent across business units and enterprise risk management lacks depth in the faculties.”

Three of the ten universities have paid for staff to attend events hosted by political parties, which is considered a political donation under the relevant legislation. Most have policies prohibiting political donations; Hehir says they all should. The report explains:

“Management of the three universities that made the political donations advise that attendance at political party events is designed to maintain relationships and gain a thorough and broad understanding of major public policy commitments being proposed by major political parties.

“While the value of the donations identified in the survey was small in the context of the university’s operations, the use of university finances for political donations is considered inappropriate for public entities.

“Despite these donations being inappropriate use of public monies, universities or their controlled entities may not be precluded from making political donations or be in breach of election funding legislation.”

The report also reveals that all 10 universities spend more on “non-academic employee related expenses” than the federal Department of Education and Training recommends as “good practice” — 25.8% to 32.2% of total expenses, versus 18-20%.

The institutions are in fairly sound financial positions generally, Hehir reports, but sustainability pressures are emerging, with expenditure growth outpacing revenue growth in six. Debt levels are low, but increasing.

The audit also revealed ongoing issues with information security exposing the universities to “attacks, data integrity issues, fraud and identity theft” with Hehir noting in his online summary of the audit:

“It is disappointing that over a quarter of the issues raised by the Audit Office in 2013 were not addressed in 2014.”

The main area of concern is user access, including weak or non-existent processes of reviewing who has access, failure to terminate access quickly enough, password parameters for financial system access and poor management of privileged access.

The NSW auditor-general made nine recommendations in the report to improve financial sustainability, governance, and teaching and research.

 

Author Bio

Stephen Easton

Stephen Easton is a journalist at The Mandarin based in Canberra. He's previously reported for Canberra CityNews and worked on industry titles for The Intermedia Group.