In June 2014, the Australian National Audit Office tabled in Parliament ANAO Audit Report No.50 2013–14, Cyber Attacks: Securing Agencies’ ICT Systems. The report examined implementation of the mandatory strategies in the Australian Government Information Security Manual (ISM).

The Joint Committee of Public Accounts and Audit (JCPAA) held a public hearing to examine Report No.50 on 24 October 2014. The Committee was concerned that the seven entities audited were not compliant with the ‘Top Four’ strategies in the ISM. And that none of the entities were expected to achieve compliance by the mandated target date of 30 June 2014.

In light of concerns about entities’ shortcomings to achieve compliance, the JCPAA asked the Auditor-General to extend the coverage of the audit to include other entities. In response to the JCPAA, a performance audit was scheduled to assess another four selected entities’ compliance with Australian Government requirements. This report is the outcome of the audit.