Audit: Western Australia Auditor General’s Local Government Financial Audit 2020-21 reports 358 information system control weaknesses
West Australian Audit Report 17 August 2022
Western Australia Auditor General’s Local Government Financial Audit 2020-21 reports 358 information system control weaknesses
12 of the 45 entities did not met expectations across all six control categories and 68% of the audit results were below the minimum benchmark
Western Australia Auditor General Report: Financial Audit Results – Universities and TAFEs 2021
In 2020-21, we reported 358 information system control weaknesses to 45 entities, with 10% (37) of these rated as significant and 71% (254) as moderate. Last year we reported 328 control weaknesses to 50 entities. As these weaknesses could significantly compromise the confidentiality, integrity and availability of information systems, entities should act promptly to resolve them.
Our capability assessments at 12 of the 45 entities show that none met our expectations across all six control categories and 68% of the audit results were below our minimum benchmark. Information and cyber security remain significant risks again this year and need urgent attention. Compared to 2019-20, there have been some improvements in change control but very little progress in management of information technology (IT) risks, physical security and IT operations. Entities need to improve in all six control categories.
Of the weaknesses identified in 2020-21:
- 47% related to information security issues. These included system and network vulnerabilities, and unauthorised and inappropriate access
- 28% related to IT operations issues. In particular, there were issues in inadequate monitoring and logging of user activity, poor handling of information and lack of review of user access privileges
- 13% related to business continuity. For example, disaster recovery and business continuity plans were lacking or out-of-date
- 12% related to inappropriate IT risk management, poor environmental controls for the server room and a lack of change management controls.