
The Office of the Auditor General (OAG) released their Information Systems Audit Report 2022 – Local Government Entities in June.
The report summarises the OAG's findings and recommendations following an audit of 45 local government entities for calendar year 2020 to 2021.
Unfortunately the audit found that, in general, the sector is performing poorly when it comes to cyber security. LGIS has launched our cyber-risk pilot program to support members in improving their cyber-security practices.
The OAG assesses against six (6) general computer controls (GCC) to see if entities have effective system controls in place to support the confidentiality, integrity and availability of their IT systems and financial reporting.
Audits focus on the following categories for both GCCs and capability maturity assessments.
- Information security
- IT operations
- Business continuity
- Change control
- Management of IT risks
- Physical security.
Over the 2020-21 period the OAG reported 358 control weaknesses for 45 entities, compared to 328 weaknesses at 50 entities in the previous period. Ten per cent (37) of this year's weaknesses were rated as significant and 71% (254) as moderate. These weaknesses represent a considerable risk to the confidentiality, integrity and availability of entities' information systems and need prompt resolution.
Fifty-six percent (202) of the findings were unresolved issues from last year. Entities need to address these weaknesses to reduce the risk of their systems and information being compromised.
None of the 12 entities that had capability maturity assessments met the OAG's expectations across all six control categories, a similar finding to last year. Information security remains a significant risk and needs urgent attention.
Compared to 2019-20, there were some improvements in change control, management of IT risks, physical security and IT operations.
For support on improving your local governments cyber-security practices contact the LGIS risk services team.