Federal government departments continue to experience significant breaches to their IT systems – including unauthorised access to highly sensitive information, a new report reveals.
According to the Inquiry into Commonwealth Financial Statements 2022-23 – which was tabled by the Joint Committee of Public Accounts and Audit this week – poor IT governance, particularly user access issues, continue to be among the major findings of the auditor-general’s report.
Committee chair Linda Burney said “unauthorised user access to IT systems across the Commonwealth remains a problem as in previous years. The risks this poses are potentially significant as some of the agencies involved hold highly sensitive information.”
In the 2022-23 audit, the Australian National Audit Office found that 78% of Commonwealth entities did not have effective controls to monitor user access to their IT systems after an employee had left the department.
“Ineffective IT controls continued to be a key issue. There were an increased number of audit findings in 2022-23 in this respect,” reads the report. The breaches are of a “considerable concern” to the committee, the report’s authors add.
This situation simply has to change
Among the agencies identified as vulnerable: the Australian Taxation Office, National Archives of Australia, Services Australia and the Department of Defence, ANAO reported “new significant and unresolved findings in the IT control environment” of the four Commonwealth entities.
Defence was found to have failed to remove IT access to personnel and contractors who had ceased employment with the department. In all, the ANAO identified 1,451 users whose access to the defence network was not removed in accordance with national security requirements. As well, during the period, there were almost 2,000 instances where former employees and contractors had logged into and accessed data from the defence system.
Weaknesses were found in the ATO’s key IT systems supporting financial statements preparation while the NAA was found to have ineffective IT controls. And a “significant risk” was found regarding IT governance within Services Australia. “This matter is considered to pose a significant financial, business and reputational risk to Services Australia,” says the report.
The committee recommends that each department reports on progress in securing their IT systems within six months.
The committee discovered the emerging use of artificial intelligence by public sector agencies also posed a risk. ANAO noted that 36 entities had reported the adoption of some form of emerging technology such as AI but also that, in most cases, “no supporting policies or governance frameworks had been created”.
As the report’s authors note, failures in IT governance and control, most particularly with regard to unauthorised user access to IT systems across the Commonwealth, has been a security threat for many years – “this situation simply has to change”.
Leave a Reply