I am pleased to present our first local government Information Systems Audit report since the proclamation of the Local Government Amendment (Auditing) Act 2017. The report summarises the results of the 2019 cycle of information systems audits at 10 local government entities.
Our general computer control audits are a fundamental part of our financial audits. They help to provide assurance that the financial information generated by information systems is accurate, reliable and completely recorded. While local governments will differ in the size and scale, it is critical that they have effective controls to manage information systems.
The report has 2 parts:
- Information systems – security gap analysis
- General computer controls and capability assessment of local government entities.
The security gap analysis benchmarks the results of local government entities’ security practices against a globally recognised standard. This standard provides a set of controls which entities can easily implement to protect critical information from internal and external threats. The standard provides useful guidance on how entities can address weaknesses and risks to their information security. My Office performed a similar exercise for State government entities in our 2013 Information Systems Audit Report.
We found that all 10 local government entities had significant shortcomings in their information security practices. Entities need to seriously consider these standards and the recommendations in this report to improve information security practices and protect the confidentiality, integrity and availability of information and systems.
The second part of this report outlines the results of our general computer controls audits and capability assessments. Overall, the level of maturity in the reviewed local government entities was low, with no entity meeting our minimum benchmark across all control categories.
Local government entities’ information systems are integral for delivering key public services. However, most of the entities do not have a holistic view of activities that pose risks to their information systems. Entities should have visibility over their systems and take a strategic approach to address these risks.
International standards provide a good framework and starting point for entities to develop and implement sound practices in their operational and strategic security processes. My Office will continue to monitor and report on general computer controls and capability assessments of local government entities. We expect to see better results similar to the improvements made in the State sector in recent years as reported through our regular information system audit program.