The objective of our general computer controls (GCC) audits is to determine whether computer controls effectively support the confidentiality, integrity, and availability of information systems. General computer controls include controls over the information technology (IT) environment, computer operations, access to programs and data, program development and program changes. In 2017 we focused on the following control categories:
- information security
- business continuity
- management of IT risks
- IT operations
- change control
- physical security.
We reported 539 general computer controls issues to the 47 agencies audited in 2017 compared with 441 issues at 46 agencies in 2016. This increase is, in part, due to a more detailed assessment into all general control categories in 2017.
There was an increase in the number of agencies assessed as having mature general computer control environments across all 6 categories of our assessment. Ten agencies met our expectations for managing their computer environments effectively, compared with only 6 in 2016.
While system change controls and physical security are managed effectively by most agencies, 2 of the categories, information security and business continuity, have shown little improvement in the last 10 years. The majority of issues we have identified can be easily addressed with better password management and ensuring processes to recover data and operations in the event of an incident are kept updated.
By not prioritising the security and continuity of information systems, agencies risk disruption to the delivery of vital services to the community and compromise the confidentiality and integrity of the information they hold.
We use the results of our GCC work to inform our capability assessments of agencies. Capability maturity models are a way of assessing how well developed and capable the established IT controls are. The models provide a benchmark for agency performance and a means for comparing results from year to year.
The models we developed use accepted industry good practice as the basis for assessment. Our assessment of the appropriate maturity level for an agency’s general computer controls is influenced by various factors. These include: the business objectives of the agency; the level of dependence on IT; the technological sophistication of their computer systems; and the value of information managed by the agency.
We conducted GCC audits at 47 agencies. This is the tenth year we have assessed agencies against globally recognised good practice.
We provided 40 of the 47 agencies with capability assessment documentation and asked them to complete and return the forms at the end of the audit. We then met with each of the agencies to compare their assessment and ours, which was based on the results of our GCC audits. Seven agencies, whose GCC audits were outsourced, were not included in the capability assessment.
We use a 0-5 scale rating to evaluate each agency’s capability maturity level in each of the GCC audit focus areas. The models provide a baseline for comparing results for agencies from year to year. We have included specific case studies where information security weaknesses potentially compromise agencies’ systems.
 The information within this maturity model assessment is based on the criteria defined within the Control Objectives for Information and related Technology (COBIT) manual.