
Audit: Victoria audit warns of weak IT controls in council systems | iTnews

Victorian Local Government Audit Report 27 February 2023
Victoria audit reports a significant rise in IT control weaknesses in council systems
Calls for Essential Eight adoption.
Victorian Auditor General’s Office Report: Results of 2021–22 Audits: Local Government
Media Report:Victoria audit warns of weak IT controls in council systems | iTnews
Read more Victorian incidents.
Victoria’s auditor-general is concerned at an increase in the number of weak IT controls in the state’s local government sector.
In a new audit of local government books, the office said it had increased its scrutiny of councils’ IT controls, and didn’t like what it found.
“In 2021–22, we increased our use of system assurance auditors. As a result of this shift in audit approach, we found more IT control weaknesses,” the report stated
All of these issues were rated as medium risk.
A council’s risk of experiencing a major disruption, such as a cyber-attack, increases if it does not fix IT control issues in a timely way.
User-access management and authentication controls reduce the likelihood of unauthorised access to an entity’s systems and underlying data.
Audit logging and monitoring controls detect unauthorised access and changes after they occur. Audit logs also ensure that all important changes are captured as part of an entity’s change management controls.
Intrusion detection is an application that monitors network traffic and searches for known threats and suspicious or malicious activity.
The report recommended that “Complying with the Essential Eight security framework would help councils protect customer and sensitive data better.”
I should note that Essential 8 does not address two of the key areas in the findings.
- “Audit logging and monitoring controls detect unauthorised access and changes after they occur. Audit logs also ensure that all important changes are captured as part of an entity’s change management controls.
- Intrusion detection is an application that monitors network traffic and searches for known threats and suspicious or malicious activity.”