The Information Systems Audit Report is tabled each year by my Office. This is an important report because it identifies a range of common Information Systems issues that can seriously affect the operations of government if not addressed.
The report summarises the results of the 2013 annual cycle of audits, plus other audit work completed by our Information Systems group since last year’s report of June 2013. This year the report contains four items:
- Identity Access Management Project at the Department of Health
- Cloud Computing
- Management Application
- Controls Audits
In the first item we report on our audit of the Identity Access Management Project at the Department of Health – an important project with potential to impact the successful opening of the Fiona Stanley Hospital. Concern with the project led the Acting Director General of Health to recommend that I audit it. The reasons why ICT projects often run over time and over budget were evident in this project. This report has lessons for all agencies in planning and managing ICT projects.
The second item reports on how five agencies were managing their cloud computing arrangements. Cloud computing is a new business model for delivering ICT resources, but is not new technology. One of the prominent risks of cloud arrangements is the potential threat to data sovereignty and security. We therefore looked at the extent to which agency data was held offshore and at the controls to protect data sovereignty and security. Of concern was that none of the agencies could demonstrate effective contract management of their cloud based services.
The third item of the report contains the results of our audit of key business applications at three agencies. Most of the applications we reviewed were working effectively. However, all three agencies had challenges dealing with systems that had evolved over time to address business needs. We found data integrity weaknesses and time consuming manual processes that could potentially impact delivery of key services to the public.
The final item presents the results of our general computer controls and capability assessments of agencies. It was pleasing to note an increase from three to eight in the number of agencies assessed as having mature general computer control environments across all six categories of our assessment. However, the number of agencies that failed to meet our expectations in three or more of these categories also increased. Nonetheless, the overall result was a slight improvement over the prior year.
The findings and recommendations from these audits should not just be of interest to Chief Information Officers. Chief Executive Officers and other senior managers also need to fully appreciate the opportunities and threats that are inherent within their IT systems. It is not wise or acceptable to push these issues aside for the sole attention of the IT experts.