A report by the Queensland Audit Office into the State’s Internal Control Systems has found significant faults relating to information security controls, putting agencies’ material at risk of unauthorised access, and opening up content to tampering and external breaches.
The audited information systems relate to those that “initiate, record, process and report transactions, including the related business processes relevant to financial reporting.”
Between 2012-13 and 2013-14, the number of issues detected rose from 22 to 25. Issues were identified in seven of the agencies audited in both the 2012-13 and the 2013-14 audits.
“Information security control weaknesses remains the primary area of concern for departments, representing 84 per cent of information system issues identified, compared to 64 per cent in 2012-13,” according to the Audit.
The Audit identified the chief security weaknesses as:
- “Inadequate review of user role activities – this may result in staff members who have inappropriate system access not being detected on a timely basis;
- Users having inappropriate access to sensitive or restricted transactions – inappropriate access may give these users the ability to perpetrate fraud or result in the leak of sensitive information;
- Vulnerability to external attack from the internet – security breaches could compromise the department’s systems, operations and confidential information; and
- Poor management of user accounts with broad access to all system transactions, including not maintaining strict access to these accounts and not monitoring access and performing unauthorised and potentially fraudulent transactions.”
Auditor-General Andrew Greaves concluded that public sector management must redirect focus towards strengthening information systems to ensure the integrity of data in Queensland going forward.