Report 18: 2019-20

Information Systems Audit Report 2020 – State Government Entities

Introduction

The objective of our general computer controls (GCCs) audits is to determine whether computer controls effectively support the confidentiality, integrity, and availability of information systems. Information systems are important for the delivery of essential services to the public. GCCs include controls over the information technology (IT) environment, computer operations, access to programs and data, program development and program changes. In 2019, we focused on 6 categories of GCCs:

  • information security
  • business continuity
  • management of IT risks
  • IT operations
  • change control
  • physical security.

Conclusion

The number of entities that met our expectations across all control categories continued to improve in 2019, with 15 entities meeting the benchmark compared to 13 in 2018.

However, we continue to find a large number of GCC weaknesses which could compromise the confidentiality, integrity and availability of information systems. In 2019, we reported 522 GCC issues to 50 State government entities. This was a slight reduction from the 547 issues reported at 47 entities in 2018. However, entities are not addressing audit findings quickly, with 45% of the findings reported in 2019 relating to previously reported audit findings. One way entities can remain vigilant against the rapidly changing threats to information systems is by promptly addressing audit findings.

Controls over information security and business continuity are slowly improving, but they continue to be areas of concern. We found that 46% of the entities still don’t have appropriate business continuity strategies and 43% lack controls to adequately manage information security. Poor controls in these areas leave systems and information vulnerable to misuse and may impact critical services provided to the public.

Our capability maturity model assessment indicated that entities are managing system changes and physical security relatively well. We also noted there was a slight improvement in the management of IT risks.

All entities need to pay more attention to information security and cyber risks, including procedures to classify information. These risks require the same attention as other critical business risks and building a culture of security is essential in effectively treating them.

Background

We use the results of our GCC work to inform our capability assessments of entities. Capability maturity models (CMMs) are a way to assess how well developed and capable entities’ established IT controls are. The models provide a benchmark for entity performance and means for comparing results from year to year, and across entities.

The model we have developed uses accepted industry good practice as the basis for assessment. Our assessment of GCC maturity is influenced by various factors including the:

  • business objectives of the entity
  • level of dependence on IT
  • technological sophistication of computer systems
  • value of information managed by the entity.

Audit focus and scope

We conducted GCC audits at 50 State government entities. This is the 12th year we have assessed entities against globally recognised good practice.

We provided 37 of the 50 entities with capability assessments and asked them to self-assess. We then met with each of the entities to compare their assessment and ours, which was based on the results of our GCC audits. There were thirteen entities where we did not perform a capability assessment as the audits were fully outsourced or IT control testing was performed by our financial audit teams.

We use a 0-5 rating scale[1] to evaluate each entities’ capability maturity level in each of the GCC categories. We have included specific case studies where information security weaknesses potentially compromise entities’ systems.

[1] The information within this maturity model assessment is derived from the criteria defined within COBIT 4.1, released in 2007 by ISACA.

 
Page last updated: April 6, 2020

Back to Top