The federal government’s management of cyber security continues to be poorly managed, a new report says.
Auditor-General Grant Hehir said in his 2022/23 annual report there were “ongoing deficiencies in cyber security environments and poor governance over entity cyber security risks”.
“Although cyber security risks are becoming more widely understood and managed by entities, there remain critical shortcomings in key areas,” Hehir wrote in the report, tabled in parliament.
A key risk was the way in which user access was removed when public servants left their roles.
An audit during the year found in 53 of 144 departments and agencies assessed there was no policy for user access removal or defining the timeframe in which access should be removed following a user leaving.
As well, 119 agencies did not have an effective control or activity to monitor access or activity in their systems after user cessation.
But when the auditor asked agencies to self-assess, 80 percent said they were “fully effective” in handling the issue.
The auditor-general also expressed concerns non-compliance with government rules especially relating to procurement and grant administration risked being “embedded in public sector culture.”
This presented a challenge for leaders in the public service, Hehir said.
“At present there appears to be a relatively high risk tolerance for non-compliance so long as results are achieved, rather than seeing compliance as a hallmark of integrity and essential to the craft of public administration.”
Hehir said “stronger and more independent oversight” of the public sector may be needed.
The setting up of the National Anti-Corruption Commission and the report of the robodebt royal commission had brought integrity and ethics issues to the fore, Hehir noted.
“I expect the Australian National Audit Office (ANAO) will have a positive working relationship with the National Anti-Corruption Commission (NACC), both in sharing key sectoral insights and, as necessary, in considering maters which may be referred to the NACC as a result of our audit work,” Hehir said.
Looking ahead, Hehir flagged a greater focus on the National Disability Insurance Agency, as well as environment and climate reporting by departments.
He said defence major projects would also be closely watched, following concerns the Defence Department had decided to “sanitise” some of the information in a report about changes to the scheduling of projects.
The department argued releasing the information could damage security and international relations.
