The NSW Auditor General has criticised poor record-keeping practices among of 40 of the largest agencies in the NSW public sector in its final audit of Internal Control and Governance for 2019.

The 40 agencies constitute around 84 per cent of total expenditure for all NSW public sector agencies and included The Treasury, Department of Premier and Cabinet, the NSW Police Force, Service NSW and Department of Education.

The report identified a number of governance failings that were common to multiple agencies. These included:

• out of date policies or an absence of policies to guide appropriate decisions
• poor record-keeping and document retention
• incomplete or inaccurate centralised registers or gaps in these registers
• policies, procedures or controls no longer suited to the current organisational structure or business activities.
• Security controls over information were also placed in the spotlight, and once again the agencies did not fare well

The audit found:

• user access administration deficiencies at 58 per cent of agencies related to granting, review and removal of user access
• an absence of privileged user activity reviews at 35 per cent of agencies
• password controls that did not align to password policies at 20 per cent of agencies.

There were also shortfalls identified in managing sensitive data as one third of those agencies audited do not maintain inventory of their sensitive data and where it resides.

In one individual agency the auditor found a high risk occurred due to deficiencies in controls to manage privileged user access on a key business system.

“Privileged users are able to access key systems and functions. They may also be able to remove records of their activity if programmed logging features are disabled. Inappropriate privileged user access exposes agencies to greater risk of unauthorised changes to systems and data by these users, or by cyber criminals using their logon details,” the report noted.

Thirty-five per cent of the agencies audited do not periodically review the activities of privileged users to identify suspicious or unauthorised activities.

“Without strong governance systems and internal controls, agencies increase the risks associated with effectively managing their finances and delivering services to citizens. For example, if they do not have strong information technology controls, sensitive information may be at risk of unauthorised access and misuse,” the report notes.

The graph shows the processes used by agencies to identify where their sensitive data is located within their IT infrastructure.

“An agency's ability to appropriately protect sensitive data is limited without a comprehensive understanding of all sensitive data held and where it is stored. Sixty-eight per cent of agencies maintain an inventory of their sensitive data. However, this may not be a complete inventory because, of these agencies:

• 11 per cent had not captured data held in unstructured data repositories, such as shared network drives and email servers
• 29 per cent of agencies had not considered data held by their service providers.

“We also found that the process whereby agencies identified their sensitive data was not always comprehensive. Generally, agencies relied on common processes such as reviewing existing documentation (e.g. data flow diagrams) and business process walkthroughs to identify sensitive data. Other processes were less commonly used, such as:

• using questionnaires sent to key officers, such as business process owners and database administrators
• scanning network shared drives, intranet sites and databases
• scanning network segments to identify undocumented shared drives, databases and servers
• scanning user workstations to identify sensitive data stored on local drives.

“The use of common processes to identify where sensitive data is held increases the risk that not all sensitive data will be identified, meaning it may not be adequately protected.”

The full report is available HERE