All 10 public universities in New South Wales have deficiencies in their IT and cyber security controls, the NSW Auditor-General has found, with weak management of legacy systems leaving the sector exposed to data breaches and system failures.

The Universities 2025 report, tabled in Parliament on 11 June 2026 by Auditor-General Bola Oyetunji, presents the results of financial audits of the state's 10 public universities for the year ended 31 December 2025.

Clean audit opinions were issued for all 10 institutions. However, auditors reported 94 control findings, with IT/cyber security, governance and payroll matters accounting for 70% of the total.

There were 28 control deficiencies in IT/cyber security, down from 35 in 2024. Deficiencies in managing and monitoring user access to key systems, including privileged accounts, made up over half of these findings and applied to all 10 universities.

Repeat findings comprised 36% of all issues reported to those charged with governance. Eight universities received repeat findings relating to user access and privileged user account management.

Legacy System Risks Unassessed

The audit identified significant gaps in how universities manage ageing technology. One university has no processes at all to manage legacy systems, and six have not formally assessed legacy system risks.

Three universities do not maintain an inventory of legacy systems. Four have no strategy or roadmap for upgrading, replacing or decommissioning them, and four do not include legacy systems in patching or vulnerability management processes.

“Weak management of legacy systems can increase universities’ exposure to cyber incidents, reduce confidence in system reliability, and limit their ability to detect, respond to and recover from cyber security events,” the report said.

A case study in the report describes a cyber incident at one university involving unauthorised access to an online code library used for software development. The accessed data included personal information for over 20,000 current and former staff, students, alumni and supporters, including historical data dating back to 2010.

“Risks associated with legacy environments can extend beyond the systems themselves, as legacy systems often generate large volumes of historical data that may continue to be retained after the systems are no longer in use,” the report said.

Supply Chain Blind Spots

The report also found weaknesses in managing third-party cyber security risks. Four universities have not specified cyber security roles and responsibilities in vendor contracts, and four lack a formal strategy to keep IT asset registers for externally hosted systems complete.

Five universities have no formal process to manage security risks after IT partnerships or service agreements end. Of the nine universities that test cyber incident response plans, five do not include relevant third-party providers in testing.

A second case study details an incident in which attackers accessed a university's third-party hosted student management system through an earlier breach of another linked external system. Personal, financial, health and legal information was taken and later used in fraudulent emails sent to members of the university community.

“This incident illustrates how supply chain dependencies can expand an entity’s attack surface and reinforces the need for strong third-party cyber security risk management,” the report said.

Governance And Spending Gaps

Seven universities have no process to set and monitor return on benefit realisation for cyber security spending. Only two identify and manage underutilised, redundant or outdated cyber security tools and services.

Governance oversight of conflicts of interest was also found wanting. Auditors identified over 790 instances of employees holding directorships in companies that were university vendors, with 30% of reviewed instances absent from conflict of interest registers.

Domestic Funding Shortfall

The report also highlights a widening funding gap between domestic and overseas students. In 2025, the average operating cost per student of $37,868 exceeded average revenue per domestic student of $25,213, including fees and government grants, representing a 33% deficit margin.

In contrast, average revenue per overseas student of $41,381 exceeded cost, delivering a 9% surplus margin. Overseas student revenue was 1.6 times higher than domestic revenue, a trend the report says has been consistent over the past five years.

Average Commonwealth Grant Scheme revenue of $10,550 per student has not kept pace with rising operating costs, meaning universities operate at a net loss on every domestic enrolment.

On artificial intelligence, three universities still do not have a formalised AI policy and only two have procurement guidance for AI-related purchases. The report found governance improvements are not keeping pace with the rate of AI adoption across the sector.

The report makes six recommendations to improve procurement processes, strengthen contingent labour hire management, enhance conflict of interest policies and progress AI governance maturity.

The findings echo the Audit Office’s Cyber Security Insights 2025 report, which found that while universities have strengthened cyber security frameworks and governance, gaps remain in how cyber risks are identified, prioritised and managed.