The Australian Taxation Office, Department of Defence, National Archives of Australia (NAA) and Services Australia have been given a six-month deadline to report progress in closing significant breaches relating to their governance and control of IT systems. 

The breaches were initially identified in the Australian National Audit Office (ANAO) audit of the Australian Government’s Consolidated Financial Statements (CFS), published in December 2023. 

The ANAO found that 78 per cent of entities assessed do not have an effective control to monitor access or activity in entities’ systems after user cessation= 

The Australian Parliament's Joint Committee on Public Accounts and Audit commenced an inquiry into the ANAO audit in February 2024. After a series of public hearings and submissions, it has now published its own report, which highlights poor IT governance, particularly user access issues. 

Committee Chair Linda Burney stated that “unauthorised user access to IT systems across the Commonwealth remains a problem as in previous years. The risks this poses are potentially significant as some of the agencies involved hold highly sensitive information." 

The NAA was found by ANAO to have ineffective IT general controls to support the preparation of its financial statements, with the following weaknesses identified: 

- insufficient oversight and documentation of review of privilege user access and activity logs. 

- no formalised or documented periodic review of user access. 

- inconsistent mapping of roles and responsibility configurations, including workflow approvers and inconsistent chart of accounts mapping configurations. 

ANAO recommended a detailed review to address these significant issues, which was agreed to by NAA. In its submission to the inquiry, NAA stated that it had:  “… immediately engaged an independent external consultant to undertake a forensic audit review of all the underlying transactions on which the financial statements were based and identify any potential fraud resulting from the financial management processes that were in place. ANAO provided oversight into the scope of works undertaken by the forensic auditor to ensure a complete and accurate review was undertaken." 

NAA told the Committee that there would be continuous monitoring by its Executive Board and Audit and Risk Committee of the actions undertaken to address each of the ANAO findings until their implementation was completed. 

The ANAO report found the IT governance and monitoring processes at Services Australia were not providing sufficient assurance to its management that policy requirements were being met, further commenting that ‘this matter is considered to pose a significant financial, business and reputational risk to Services Australia.’ 

In its submission to the inquiry, Services Australia agreed with these assessments and the ANAO’s recommendations, and stated: Due to the Agency’s complex and large number of IT platforms, in excess of 50 systems, that need to be reviewed to address the audit recommendations, the Agency has established a new Division to ensure the appropriate oversight and monitoring of remediation activities. Additional resources have also been onboarded to assist with remediation activities, including specialist resources with ICT policy, governance and assurance expertise.” 

 ‘ ... it will take until the 2025 interim audit process for all aspects of the recommendations to be fully resolved.’ 

The full report is available HERE