The objective of this audit is to assess the effectiveness of cyber security risk mitigation strategies implemented by selected non-corporate Commonwealth entities to meet mandatory requirements under the Protective Security Policy Framework (PSPF), and the support provided by the responsible cyber policy entities.

Audit criteria

The ANAO proposes to examine whether:

  • the selected entities have fully implemented the Top Four cyber security risk mitigation strategies or otherwise adopted strategies and actions to progress towards full implementation; and
  • the three entities responsible for cyber policy in the Commonwealth (the Australian Signals Directorate, the Attorney-General’s Department and Department of Home Affairs) have worked together to support accurate self-assessment and reporting by non-corporate Commonwealth entities, and to improve those entities’ implementation of cyber security requirements under the PSPF.


  • Attorney-General’s Department
  • Australian Signals Directorate
  • Australian Trade and Investment Commission
  • Department of Education, Skills and Employment
  • Future Fund Management Agency
  • Department of Health  
  • Department of Home Affairs
  • IP Australia
  • Department of the Prime Minister and Cabinet

Contribute to this audit

The ANAO welcomes members of the public contributing information for consideration when conducting performance audits. Performance audits involve the independent and objective assessment of the administration of an entity or body’s programs, policies, projects or activities. They also examine how well administrative support systems operate.

The ANAO does not have a role in commenting on the merits of government policy but focuses on assessing the efficient and effective implementation of government programs, including the achievement of their intended benefits.

The audit you have selected is currently collecting audit evidence and is seeking input from members of the public. We particularly value information that deals with significant matters or insights into the administration of the subject of this audit. Information can be submitted either by uploading a file, or by entering your information into the comments box below.

While your contribution will be considered, and handled with care, you will not automatically receive feedback about your contribution. However, if you provide your contact details, you may be contacted regarding your contribution.

Please note that contributions are intermittently monitored. We aim to consider all contributions within 14 days of receipt.

We anticipate accepting contributions to this audit until Sunday 31 May 2020.

Files must be less than 20 MB.
Allowed file types: txt pdf doc docx.