A KPMG audit has delivered an assessment of the Australian National Audit Office’s use of (ANAO) ICT, providing recommendations to improve risk management, key performance indicators and data recovery.
Released 20 May, the audit found the office to be “above or in line with acceptable practice,” with particular praise reserved for the effectiveness of its ICT governance and planning.
“The ANAO are either above or in line with the ‘acceptable practice’ maturity, with notable highlights in the areas of defining the current and future governance arrangements and in relation to selecting best fit options/solutions for the organisation,” states the report.
The report notes that the current ICT support services (including infrastructure and service delivery of ICT solutions) are outsourced to Unisys, which manages and maintains the business as usual aspects of the ICT environment. Unisys generates a monthly report which monitors service level agreements, service desk enquires and current incidents, ICT environment changes, systems availability, network traffic volumes and usage and continuous improvement activities.
While many agencies have been recently plagued by reports critical of their security policies, the report deemed the ANAO to possess a “detailed suite of comprehensive security policies.”
While overall the report was favourable, KPMG made three main recommendations to the ANAO. The audit recommended ANAO align corporate ICT risks to their ICT Strategic Plan. It found there is limited discussion how the ICT risks identified in the ANAO’s Information Communications Technology Strategic Plan 2009-2012 (ICTSP) will be managed. There are also minimal disaster recovery contingencies in place.
Better practice suggests that these key risks be visible through its strategy with a clear link to objectives created. It is suggested that the ANAO consider creating a clear link from the identified corporate ICT risks to the ICTSP.
In order to better measure the ICTSP, ANAO should define Key Performance Indicators (KPI). Whilst it is acknowledged that the ANAO has a range of KPI’s and reports for its ICT activities and it reviews the ICTSP on a yearly basis, additional benefit can be derived from the consolidation of such reports against a selection of KPIs so as to inform progress against broader strategic ICT objectives. The audit suggested ANAO incorporate the relevant KPI’s and targets into the ICTSP so as to assist the yearly deliberations of performance against the ICT strategy as a whole.
Backup and recovery and business continuity were also found to have potential for improvement in the audit. Rotational backup tapes are stored off site, with the ANAO currently utilising the services of Recall to manage this process. The backup and recovery document briefly mentions data recovery, however very little detail is provided in terms of specific procedures for the recovery of data. The audit suggests further documented detail be provided for the monthly data recovery procedures and the results from this testing be recorded.
The full report can be viewed here.