This is my eighth annual Information Systems Audit Report. The report summarises the results of the 2015 annual cycle of audits, plus application reviews completed by our Information Systems audit group since last year’s report.
The report is important because it reveals the common information system weaknesses we identified that can seriously affect the operations of government. It also contains recommendations that address these common weaknesses and as such, has a use broader than just the agencies we audited.
The first item of the report contains the results of our audit of key business applications at 5 agencies. Most of the applications we reviewed were working effectively. However, all 5 had weaknesses, the most common of which related to poor policies, procedures and security. The potential effect of these weakness is the compromising of sensitive information. We also found weaknesses in operational, procedural and process controls that could potentially impact delivery of key services to the public.
The second item presents the results of our general computer controls and capability assessments of agencies. There was a slight decrease in the number of agencies assessed as having mature general computer control environments across all 6 categories of our assessment. The number of agencies that failed to meet our expectations for 3 or more of these categories increased. Overall, the result was a slight decline from the previous year.
We have been reporting the capability assessments for a number of years and for the first time have included a trend line for each of the categories. Disappointingly, 2 of the categories have shown no improvement in the last 8 years. These continue to be affected by easy to address issues such as poor password management and ensuring processes to recover data and operations in the event of an incident are kept updated.
My practice is not to name agencies that have information system weakness for fear that this could encourage attempts to exploit the weaknesses. However, I am now reviewing that position and seeking advice as to whether the naming of high-risk agencies is necessary in order to achieve essential change.