This report summarises audits of 45 public sector entities' information technology controls in Victoria.
This report summarises the results of our audits of 45 public sector entities' IT controls performed in support of VAGO's 2014–15 financial audits. This report is in its second year and builds on the inaugural ICT controls report 2014–15 to provide additional insight and increase visibility of our IT audit findings. It also summarises reviews undertaken over two areas—identity & access management (IDAM) and software licensing practices.
Sixty-five key financial IT applications and their infrastructure were audited, with 462 associated audit findings used as the basis for this report’s analysis.
Most IT audit findings identified were rated medium and high risk, with one audit finding rated as an extreme risk. Along with the specific IT audit findings, this report draws out the following three clear emerging themes:
management of controls at outsourced IT environments requires improvement
use of IT systems that are no longer supported or at their end-of-life
IT security controls need improvement.
Notwithstanding some deficiencies in IT controls, VAGO was able to rely on these controls for financial reporting purposes because other mitigating controls were identified and tested.