Challenges persist in govt compliance of IT controls and software projects

Several government departments need to improve their IT governance to meet compliance requirements, the Australian National Audit Office has found.

While departments are progressing in IT governance and software project management, challenges persist in compliance, particularly in IT controls and privacy requirements. Vigilant oversight and improvement efforts are essential to effectively manage risks and ensure government resources’ efficient and ethical use, the ANAO report indicated.

In its Interim Report on Key Financial Controls of Major Departments, ANAO found that internal controls were adequate in 14 departments. However, deficiencies in IT controls led to significant issues in three departments: the Australian Taxation Office, the Department of Defence, and Services Australia.

IT governance and compliance challenges

The ANAO audit findings primarily focused on IT security, notably concerning the removal of user access and the monitoring of privileged user access. These findings were reported as part of the 2023–24 interim audits for departments covered in the report, categorised into IT security, IT change management, and disaster recovery arrangements.

Services Australia’s IT governance weaknesses, particularly IT controls, were identified while implementing a large-scale IT rollout for residential aged care. Additionally, a significant number of individual control issues affecting change and access management and business operations were noted across various departments, including the Minister and Cabinet, Social Services, the Treasury, Veterans Affairs, and the National Disability Insurance Agency, alongside Services Australia.

Weaknesses were identified in the Australian Taxation Office’s (ATO) enterprise change management for crucial information technology systems that support the preparation of financial statements. These weaknesses primarily involved a discrepancy between the change management policy and procedural documentation, especially concerning the segregation of duties among developers and migrators.

This means that the Department of Defence needs to improve the removal of user access from their systems. During the final audit for 2022–23, ANAO found that 1,451 user accounts still had access that should have been revoked according to the requirements in the Information Security Manual (ISM). This indicates a failure to properly manage and enforce the removal of access privileges as per established security guidelines.

In the report, the ANAO emphasised the need for sector-wide improvement in governance processes to support the design, implementation, and operational effectiveness of IT security controls, including adherence to the Information Security Manual (ISM).

Privacy Compliance and Data Breach Reporting

Out of the 27 departments audited, 22 indicated they collected personal information and complied with the Privacy Act 1988 and Australian Privacy Principles (APPs). However, 41 per cent of departments had yet to assess compliance with these privacy requirements under the APPs.

Notably, from July to December 2023, the Australian Government ranked among the top sectors reporting notifiable data breaches to the Australian Information Commissioner.

In the report, the ANAO underscored the importance of departments establishing appropriate governance measures and controls supported by clear policies, procedures, and practices aligned with privacy principles.

While departments are progressing in IT governance and software project management, challenges persist in compliance, particularly in IT controls and privacy requirements. Vigilant oversight and improvement efforts are essential to effectively manage risks and ensure government resources’ efficient and ethical use.

Cyber security recommendations

IT security is critical for protecting an entity’s information assets from internal and external threats. It focuses mainly on financially significant systems and data within the context of financial statement audits. The Protective Security Policy Framework (PSPF) and the Information Security Manual (ISM) provide the foundation for government security policies and guidance on safeguarding information and systems from cyber threats.

Significant and moderate findings were reported across several key areas:

• User Access Management: Issues were identified in approving new user access, conducting regular access reviews, and promptly removing access when no longer required. Nine moderate findings specifically pertained to logging and monitoring privileged user access.
• Password Configuration: One minor finding highlighted inadequate controls over password requirements, which can increase the risk of unauthorised access.
• Monitoring and Reporting: Three findings related to monitoring controls were identified. These included significant deficiencies in IT governance at Services Australia, moderate issues regarding monitoring effectiveness at the Department of Veterans Affairs, and minor concerns about cyber security governance.
• Risk Management: Weaknesses in risk management practices were noted, particularly in monitoring controls and access management post-termination. Six moderate findings were reported in this area.
• Privileged User Access: Departments were cautioned about the risks associated with privileged users (e.g., application administrators and system administrators) with broad access capabilities. As the ISM outlines, adequate controls include restricting access appropriately, logging access activities, and conducting regular reviews.
• These findings underscore the ongoing need for departments to strengthen their IT security governance and controls to mitigate risks associated with unauthorised access to systems and data. Departments are encouraged to align with ISM recommendations and enhance their management practices to safeguard their operational environments effectively.

Software projects

Despite the widespread adoption of project management frameworks, there are opportunities for departments to enhance the effectiveness of governance in software project delivery. This includes increasing oversight from entity audit committees and broadening the adoption of assurance arrangements recommended by the Digital Transformation Agency (DTA).

As of January 2024, the departments in the report managed 717 distinct software projects, with a total budget (including capital and operating expenses) amounting to $10.9 billion. About 717 software projects were underway across 25 departments, with a combined budget of $10.9 billion, covering capital and operating expenses.

Twenty-five out of 27 departments had established project management frameworks or policies to support the delivery of software projects. However, the Australian Office of Financial Management and the Department of Industry, Science and Resources needed formal frameworks.

Most departments had assigned responsibility for monitoring software projects to an executive or committee within their organisational structure, but only 52% provided regular reports to their audit committees.

As of January 2024, 25 out of 27 departments included in the report were actively delivering 717 distinct software projects, which were managed through internal development or procurement processes.

According to the audit, six departments, including the Departments of Employment and Workplace Relations, Health and Aged Care, Home Affairs, NBN Co Limited, Services Australia, and Snowy Hydro Limited, collectively accounted for 61 per cent of these projects.

The total budget allocated for these software projects in the fiscal year 2023–24, including capital and operating expenses, amounted to $3.3 billion across the 25 departments. The Australian Taxation Office, Department of Defence, Department of Health and Aged Care, and Services Australia comprised 71 per cent of this budget.

The average budget per project for 2023–24 was $4.8 million, ranging from $0.2 million to $38.0 million per project. Notably, the Australian Taxation Office and Department of Defence had projects significantly above this average, with average project values of $15.9 million and $38.0 million for departments delivering multiple projects.

The expected budget for these software projects is $10.9 billion. Three departments—the Australian Taxation Office, Department of Defence, and Services Australia—account for 75 per cent of this total budget, highlighting their substantial investments in software project delivery.

The DTA has recommended several assurance activities for digital investments, including software projects. These activities aim to ensure effective governance and risk management, such as internal audits, targeted reviews, and independent board oversight.

Despite these measures, opportunities exist for departments to enhance oversight and assurance processes, particularly concerning high-risk software projects, to improve governance effectiveness and mitigate potential risks.

Overall, the significant investment in software projects and the history of write-offs underscore the importance of robust governance frameworks and comprehensive assurance strategies to ensure software projects’ successful delivery and accountability across Australian Government departments.

Emerging technologies

According to the auditor, departments are increasingly exploring emerging technologies (including artificial intelligence) for application in their operations and service delivery. The ANAO intends to consider risks relating to the use of emerging technologies in audit planning processes to assure Parliament of their efficient, effective, economical, and ethical use.

The use of artificial intelligence (AI) significantly raises these risks and places greater importance on the control frameworks required to ensure appropriate governance, minimum standards, or requirements for suitability or traceability in the process and output of decisions made through AI.

The development of a climate-related reporting framework and assurance regime in Australia is progressing. The ANAO is working with the Department of Finance (Finance) to establish an assurance regime for the Commonwealth Climate Disclosure (CCD) reform.

Emerging technologies (including Artificial Intelligence) are increasingly being explored by departments for application in their operations and delivery of services. The ANAO intends to consider risks relating to emerging technologies in audit planning processes to assure Parliament of AI’s practical, efficient, and ethical use in the Australian Public Service (APS).

Commonwealth departments are increasingly exploring emerging technologies, such as robotic process automation (RPA) and artificial intelligence (AI), including machine learning and generative AI, to enhance operations and service delivery.

These technologies offer opportunities for innovation but also present risks, including lack of transparency, auditability, bias, security, and privacy concerns. Governance structures are crucial to ensure the ethical and responsible use of these technologies, as highlighted by the recommendations from the Royal Commission into the Robodebt Scheme.

In response to these challenges, the Australian Government has initiated several measures, including consultations on AI ethics and establishing governance frameworks.

The AI in Government Taskforce, led by the Digital Transformation Agency, coordinates efforts to map and regulate automated decision-making technologies across government services. Additionally, frameworks like the 2023-2030 Australian Cyber Security Strategy address cyber risks associated with emerging technologies.

However, audits have revealed that many departments using emerging technologies still need to establish adequate governance frameworks or align with external ethical principles. Weaknesses in IT controls, particularly in change management, have been highlighted, with AI implementation intensifying these risks.

ANAO and the Joint Committee of Public Accounts and Audit are actively examining these issues to ensure AI’s responsible and effective use within the Australian Public Service (APS).

As policy frameworks for AI evolve, the ANAO will monitor them on an ongoing basis to assess departments’ readiness to adopt AI, evaluate associated risks, and advocate for robust control frameworks to safeguard against potential ethical, operational, and security challenges.

According to ANAO, continuous improvement in IT governance and cybersecurity practices will be critical for departments to successfully navigate evolving threats and technological advancements.