The Australian National Audit Office released today its AUDITFocus newsletter summarising the findings of recent audit activity. The document provides a useful summary of key issues and findings. An assessment of the significant ICT audit issues is provided below:
2008–09 Interim Financial Statement
Each year the ANAO undertakes a Financial Statements audit to assess the validity of financial reporting in each agency. The audit also provides useful insights into ICT controls and governance. Generally ANAO gave a positive report for 2008-09, noting significant improvements in IT security, as well as incident and problem management.
However shortcomings were found in the following areas:
- Some agencies did not have tested organisation-wide Business Continuity Plans endorsed by the agency executive;
- Some agencies did not review, update or test these plans as part of normal business practice;
- A number of agencies had continuing weaknesses in the management of special or privileged users, including a failure to log the activities of these users;
- Many agencies did not review their change management procedures on a regular basis; and
- Some agencies had a number of IT control weaknesses relating to security and management controls in both Financial Management Information Systems and Human Resource Management Information Systems.
- Audit Report No 42 2008–09 Interim Phase of the Audit Financial Statements of General Government Sector Agencies for the year ending 30 June 2009.
Security Risk Management
ANAO undertook a review of security risk management in three agencies
- Australian Agency for International Development (AusAID);
- Australian Institute of Health and Welfare (AIHW); and
- Department of the Treasury (Treasury).
The audit found of the three organisations audited, only AusAID had a separate security risk management policy. Treasury had developed a corporate risk management policy which provided the framework for all risk management activities in the department.
More importantly, ANAO received advice that CAC Act Agencies (the Commonwealth Authorities and Companies Act) may be covered by the Australian Protective Security Manual (PSM) particularly where their staff are employees under the Public Service Act. This applies to AIHW as well as a number of other of CAC Act Agencies.
This means coverage of the PSM may be much wider than previously understood. ANAO recommended that the Attorney General’s Department, “given its role in developing and promulgating protective security policy, work with Finance to clarify to which CAC Act organisations the PSM applies”.
- Audit Report No.44 2008–09 Security Risk Management
Data Analysis in ANAO Audits
ANAO found “the agencies audited have a range of IT systems and applications to store, retrieve and process client and non-client information. These systems include both legacy mainframe and newer systems. A challenge for agencies in this environment is balancing the resources required to maintain legacy systems while developing new IT capability with its greater functionality and opportunities to maintain better data integrity.”
“The audits revealed that there was considerable scope in both agencies to improve the management of their information systems and, in particular, the quality and integrity of data. This in turn, would support improved service delivery. The quality of the data would also have been substantially improved through the development and use of an effective accountability regime, including quality control, to assure the quality of records over time. Additional assurance of data quality would be gained from a greater focus on data collection standards and controls, and procedural compliance around data input and records maintenance, including timely deletion or relocation of outdated and erroneous data.”
- Audit Report No 28, 2008–09 Quality and Integrity of the Department of Veterans’ Affairs Income Support Records
- Audit Report No 35, 2008–09 Management of the Movement Alert List, Department of Immigration and Citizenship