The Victorian Auditor-General’s Office (VAGO) has issued a report into the financial IT systems in the state’s government agencies and department. It is highly critical of the processes and controls in place, finding that most of the 65 financial applications it examined, spread over 45 government entities, are ‘medium’ or ‘high’ risk.
The report cites low levels of IT security and aged software as two of the key problems. “Alarmingly, each year VAGO is finding a large number of IT systems and software which are either no longer supported or fast approaching the end of support by the vendor.
“This poses IT security and operational risks to the entities IT environment, as well as unnecessary added costs.
“Disappointingly, IT security-related audit findings continue to be raised and again account for the majority of our audit findings. It is also disappointing that our recommendation for a whole-of-government disaster recovery framework has not been addressed since it was first made in 2012–13.”
The number of high-risk audit findings nearly doubled from 69 in 2013-14 to 134 in 2014-15 (out of 462 total audits).
“The key reason for this significant increase is related to IT security and the risks associated with using IT systems that are past or approaching their end-of-life. These were two of the three themes identified this year,” says the report.
“More focused attention and oversight by accountable officers and governance bodies is required to address our IT audit findings from previous years and to ensure sustainable process improvements are implemented to prevent future recurrence.”
Nearly half (41 per cent) of VAGO’s IT audit findings from previous years have not been addressed, many of which were rated high-risk.
The report makes a number of recommendations, mostly to do with better training, more monitoring, and the improvement of identity management.
It used the standard capability maturity model (CMM) five level ranking to determine the maturity of IT systems in the Victorian Government, in a number of areas. The ratings, on the whole, were not good, “meaning controls across IT systems may be inconsistent despite some sustainable and repeatable practices and procedures.”
This year’s report focused on two key areas – identity and access management (IDAM) and software licensing.
“IDAM controls at more than half of the 30 in-scope entities require improvement. While software licensing is generally well-managed across the in-scope entities, there are a number of opportunities for improvement.
“Software licensing controls, in particular key controls which restrict the installation of software by end-users, were generally found to be established and mature for in-scope entities. Software licensing policies and procedures, and compliance monitoring, however, requires improvement at more than half of the in-scope entities
Victoria’s Acting Auditor-General Dr Peter Frost said that VAGO would soon publish a ‘better practice guide’ to enhance the IT environment in the Victorian Government.
“I encourage all public sector entities to assess their IT control environment against this better practice guide.”
Leave a Reply