This audit assessed information and communications technology (ICT) Controls in the Victorian public sector.
The Auditor-General is the external auditor of Victoria's public sector entities, and has a legislated obligation to provide independent assurance to the Parliament about the financial status as well as the efficiency, effectiveness and economy of these entities.
This inaugural report summarises the results of our audits of public sector entities' ICT general controls as part of the 2013–14 financial audits. This report is the first of its type by VAGO and aims to provide extra insight and visibility of our ICT-related audit findings, and also identify wider trends that may not be covered in the reports we give to an entity's management.
Notwithstanding some deficiencies in ICT controls, VAGO was able to rely on these controls for financial reporting purposes because other mitigating controls were identified and tested. Most of ICT audit findings were medium risk, with none ranked as an extreme risk. High-risk ICT audit findings are concentrated in a few ICT general controls categories.
The five themes identified through our ICT audits were:
- ICT security controls need improvement
- management of service organisation assurance activities requires attention
- prior-period audit findings are not being addressed in a timely manner
- patch management processes need improvement
- ICT disaster recovery planning is weak.
In future reports, we will perform detailed maturity assessments of selected entities' ICT environments and examine some selected areas of focus, such as identity and access management, software licensing and wireless network security.