Our eleventh annual Information Systems Audit Report was tabled in Parliament on 15 May 2019. The report contained the results of the 2018 annual cycle of information systems audits. These included findings from our audit of key business applications at 4 public sector entities, as well as the results of our general computer controls and capability assessments.

The following report summarises the results of a further application
controls audit that my office performed at the same time, of the Western Australian Registry System, used by the Registry of Births, Deaths and Marriages (a division of the WA Department of Justice).

The results of the audit were so concerning that, in a highly unusual step and in accordance with sections 7(6) and 25(1) of the Auditor General Act 2006, I decided not to include the results of this application controls audit in the May 2019 report to Parliament. I considered that publishing the significant findings at that time, when the system vulnerabilities still existed, would not be in the public interest. Instead, I provided my parliamentary oversight committees, the Public Accounts Committee and Estimates and Financial Operations Committee, as well as relevant Ministers, with briefings and the detailed report in confidence.

My Office frequently finds weaknesses in public sector entities’ systems, as reported in my tabled reports. However, the nature of the data in the Western Australian Registry System, and what it can potentially be used for, renders the findings in this report particularly concerning. Knowledge of weaknesses in this system would be of keen interest to those with malicious intent who seek financial or other gains from the alteration or access to foundational identity records of Western Australian citizens. The risk is higher due to other weaknesses in the Department of Justice’s broader IT environment, also identified by this Office in previous audits over the years. These have included weak network security, access and vulnerability management controls, which are designed to protect the confidentiality and integrity of sensitive and privileged data. Each are important layers to maintain effective defence against security threats.

Since the 2019 findings were reported to the Department, the Director General has provided me with regular updates on the progress of work to address the shortcomings, and my Office has since verified key aspects of actions implemented to address the weaknesses. It was important to address these aspects before public reporting, else it may have exposed a critical system and dataset to deliberate harm. 

The recommendations to address the findings in this report may be relevant to other public sector operations. Ensuring entities implement and enforce good security practices and regularly test them should be a focus and key responsibility for all executive teams, particularly where highly sensitive and valuable data is involved. Continually raising staff awareness, at all levels, of information and cyber security issues is another proven way to embed good practice and security hygiene into everyday operations.

Furthermore, it is important to recognise that outsourcing system development and maintenance to third party vendors, who have access to sensitive data, does not absolve any public sector entity of responsibility for strong data governance. Indeed, an understanding of risks, and capability for monitoring and oversight, are of heightened importance.