The recent ANAO Audit of Financial Statements across 25 Agencies found there had been significant improvements in IT management since 2008. Improvements were found particularly in IT security, and incident and problem management. However the Audit also noted continuing weaknesses in a number of key areas. In particular Change Management received the greatest criticism as outlined below.
ANAO also noted the level of vendor penetration into the 25 Agencies, as shown below.
Australian National Audit Office, ANAO Audit Report No.42 2008–09, Interim Phase of the Audit of Financial Statements of General Government Sector Agencies for the Year ending 30 June 2009, prepared by Ian McPhee, Auditor-General, Australian National Audit Office, 74
This year, the Review found both good news and bad news:
IT security management
There have been significant improvements in Security Management since the 2008 report, particularly in the area of security governance, and user access management. All Agencies now have acceptable network security.
Incident and Problem Management
Incident and problem management also showed significant improvements, particularly in the adoption of configuration management tools. The most significant area for improvement was developing better linkages between incident and problem management to appropriate change management procedures.
IT Change Management
In 2008, Change Management received a poor report with most agencies needing improved procedures for change logs and backout procedures. While this year showed a vast improvement, it was still a generally poor result. Over 30% of agencies still need to improve their policy and governance structures, while 25% need to improve their change logs and reporting procedures.
Financial Management Information Systems (FMIS)
FMIS management grew significantly worse in a number of key areas. Access management appears to be a big area of concern. Almost half of the 25 reviewed agencies need to improve their management of Privileged Users, while 36% need to improve general user access management. Both measures are significantly worse compared to the 2008 review. The greatest area of improvement was Payment Processing Reconciliations.
Human Resource Management Information Management Systems (HRMIS)
HRMIS management generally showed significant improvements over a generally poor result in 2008. Poor results were reported for Privileged User Management, and User Access Management
Overall, the ANAO findings provide an interesting expansion findings outlined in the Gershon Review where IT governance was found to be a major area of concern.