Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
Performance audit (Auditor-General Report No. 53 of 2017–18)
Published: Thursday 28 June 2018
Published
The objective of the audit was to assess the effectiveness of the management of cyber risks by the Department of the Treasury, National Archives of Australia and Geoscience Australia.
Entity
Department of the Treasury; National Archives of Australia; Geoscience Australia
Contact
Please direct enquiries through our contact page.
Performance audit (Auditor-General Report No. 38 of 2023–24)
Published: Friday 14 June 2024
Published
The objective of this audit was to assess the effectiveness of the selected entities’ implementation of arrangements for managing cyber security incidents in accordance with the Protective Security Policy Framework (PSPF) and relevant ASD Cyber Security Guidelines.
Entity
Australian Transaction Reports and Analysis Centre; Services Australia
Contact
Please direct enquiries through our contact page.
Performance audit (Auditor-General Report No. 32 of 2020–21)
Published: Friday 19 March 2021
Published
The objective of the audit was to assess the effectiveness of cyber security risk mitigation strategies implemented by selected non-corporate Commonwealth entities to meet mandatory requirements under the Protective Security Policy Framework, and the support provided by the responsible cyber policy and operational entities.
Entity
Across Entities
Contact
Please direct enquiries through our contact page.
Insights: Audit lessons
Published: Wednesday 14 June 2023
Published
This edition of Audit Insights is targeted at Australian Government officials who have responsibility for the implementation of cyber security controls or strategy for government systems. The aim is to communicate lessons from our audit work to make it easier for people working within the Australian public sector to apply those lessons. It is drawn from audit reports tabled in 2019–20, 2020–21 and 2022–23 into management of cyber security risks.
Contact
Please direct enquiries through our contact page.
Performance audit (Auditor-General Report No. 9 of 2022–23)
Published: Wednesday 14 December 2022
Published
The objective of this audit was to examine the effectiveness of selected non-corporate Commonwealth entities' arrangements for managing cyber security risks within their procurements and specific contracted providers under the Protective Security Policy Framework (PSPF).
Entity
Australian Federal Police; Australian Taxation Office; Department of Foreign Affairs and Trade
Contact
Please direct enquiries through our contact page.
Performance audit (Auditor-General Report No. 1 of 2019–20)
Published: Thursday 4 July 2019
Published
The objective of this audit was to assess the effectiveness of the management of cyber security risks by three government business enterprises or corporate Commonwealth entities. The entities selected for audit are ASC Pty Ltd, the Australian Postal Corporation and the Reserve Bank of Australia.
Entity
ASC Pty Ltd; Australian Postal Corporation; Reserve Bank of Australia
Contact
Please direct enquiries through our contact page.
Speeches and papers
Published: Monday 15 April 2013
Published
Mr Mr Ian McPhee - Auditor-General for Australia, presentation to the Global Working Group of Auditors-General
Performance audit (Auditor-General Report No. 50 of 2013–14)
Published: Tuesday 24 June 2014
Published
The audit objective was to assess selected agencies’ compliance with the four mandatory ICT security strategies and related controls in the Australian Government Information Security Manual.
Entity
Across Agencies
Contact
David Gray, Executive Director - Phone (02) 6203 7377
Performance audit (Auditor-General Report No. 37 of 2015–16)
Published: Thursday 5 May 2016
Published
The audit objective was to assess selected entities’ compliance with the four mandatory ICT security strategies in the Australian Government Information Security Manual (ISM).
Entity
Australian Federal Police (AFP); Australian Transaction Reports and Analysis Centre (AUSTRAC); Department of Agriculture and Water Resources; Department of Industry, Innovation and Science
Contact
Please direct enquiries relating to reports through our contact page.
Insights: Audit lessons
Published: Friday 20 July 2018
Published
This edition of audit insights covers audit reports tabled in Parliament during the fourth quarter of 2017–18 with a focus on the key learnings relating to cyber resilience. Cyber security is an increasing risk across government and one that requires attention by Accountable Authorities.
Contact
Please direct enquiries through our contact page.
About
Updated: Friday 22 July 2022
Updated
Section 41 of the Auditor-General Act 1997 establishes the position of the Independent Auditor. The Independent Auditor report, Review of Cyber Security, was tabled in Parliament on 4 December 2017.
Contact
Please direct enquiries through our contact page.
- In order to mitigate cyber security incidents caused by cyber threats and meet the mandatory requirements of the framework, non-corporate Commonwealth entities must prioritise the implementation and maturity level of their Essential Eight mitigation strategies to strengthen their cyber security posture and manage the evolving threat environment.
- Cyber security contract terms and conditions that associate performance measures and financial consequences for non-compliance can assist with establishing performance expectations.
- Assurance arrangements such as the Cyber Threat Assurance Program approach established by ATO to check on the implementation of mandatory PSPF cyber security requirements can assist with monitoring of compliance against cyber security contract requirements.
- Manage cyber risks systematically, including through assessments of the effectiveness of controls, security awareness training, and adopting a risk-based approach to prioritise improvements to cyber security.
- In establishing specific risk management frameworks for cyber security, the three audited government business enterprises and corporate Commonwealth entities adopted mitigation strategies and controls from the Australian Government Information Security Manual, despite not being mandated to do so. The Reserve Bank and Australia Post went further and adopted aspects of recognised national and international cyber security frameworks applicable to their industry or regulatory environments.
- Cyber resilience requires more than entities being compliant with relevant risk management frameworks and controls. The Reserve Bank has embedded behaviours and practices within its organisation that contribute to a strong cyber resilience culture. ASC has demonstrated a positive attitude to managing cyber risks and an open approach to continuous improvements to cyber security processes and practices.
- Independent timely reporting on the implementation of the cyber policy framework supports public accountability by providing an evidence base for the Parliament to hold the executive government and individual entities to account. The extent of public reporting should be appropriately balanced with the need to manage cyber security risks where adversaries could use published information about cyber vulnerabilities to more effectively target malicious activities. Strong accountability arrangements within government are required in the absence of public accountability through the Parliament.
- Where controls required within a cyber security framework are not being met, entities such as the Reserve Bank and ASC have undertaken a risk assessment to develop mitigating controls, which have proven effective in meeting the intent of the specified controls. Entities can draw on expertise in the Australian Government (such as the Australian Cyber Security Centre) and the private sector for assistance in strengthening cyber security controls.
- Self-assess the Top Four cyber security risk mitigation strategies of the Protective Security Policy Framework using a controls-based approach. If the self-assessment is non-compliance, make the necessary investments and changes to become compliant.
- The effective implementation of cyber security mitigation strategies is underpinned by the identification of assets and risk assessments to identify the level of protection required from cyber threats.
- To meet the mandatory PSPF requirements of mitigating common and emerging cyber threats, it is important for entities to have effective risk management practices for cyber security. This includes conducting assessments of the effectiveness of security controls, security awareness training, and adopting a risk-based approach to prioritise improvements to cyber security.
Performance audit (Auditor-General Report No. 33 of 2010–11)
Published: Wednesday 23 March 2011
Published
The objective of the audit was to assess the effectiveness of Australian Government agencies' management and implementation of measures to protect and secure their electronic information, in accordance with Australian Government protective security requirements.
Entity
Across agencies
Performance audit (Auditor-General Report No. 18 of 2011–12)
Published: Tuesday 20 December 2011
Published
The objective of the audit was to assess the effectiveness of the management of risks arising from the use of PSDs in selected Australian Government agencies. The PSDs included within the scope of this audit were: USB flash drives; CDs and DVDs; external hard drives; laptop computers and smartphones.
Entity
Across agencies
- As Australia’s cyber security regulatory landscape evolves and reforms, it is important for an entity to consider how their legal function will support their governance committees during the external reporting process to manage increasing scrutiny and liability risks following a significant or reportable cyber security incident.
Performance audit (Auditor-General Report No. 30 of 2013–14)
Published: Wednesday 7 May 2014
Published
The audit objective was to assess the effectiveness of the Therapeutic Goods Administration’s (TGA) application of the Code of Good Manufacturing Practice (Code of GMP) for prescription medicines.
Entity
Department of Health
Contact
Please direct enquiries relating to reports through our contact page.
Performance audit (potential)
Potential audit: 2024-25
Potential
This audit would continue the ANAO’s series of audits on cybersecurity.
The scope would include comparing the entities’ cybersecurity frameworks and controls against the controls required under the Protective Security Policy Framework (Policy 2 — Management structures and responsibilities, Policy 4 — Security maturity monitoring, and Policy 10 — Safeguarding information from cyber threats) and the Australian Signals Directorate’s Essential Eight Maturity Model.
Entity
Cross Entity
Contact
Please direct enquiries through our contact page.
Performance audit (Auditor-General Report No. 49 of 2013–14)
Published: Tuesday 24 June 2014
Published
The audit objective was to assess the effectiveness of physical security arrangements in selected Australian Government agencies, including whether applicable Australian Government requirements are being met.
Entity
Australian Crime Commission, Geoscience Australia, Royal Australian Mint
Contact
Please direct enquiries relating to reports through our contact page.
Corporate
Published: Friday 4 May 2018
Published
This first e-newsletter of the Commonwealth Auditors General Group was produced by Sir Amyas Morse, UK Comptroller and Auditor General as guest editor, along with the editorial team of the Auditors General of Australia, Fiji, Jamaica and Tanzania. Cybersecurity is the theme for this newsletter, with articles from the Supreme Audit Institutions (SAIs) of Australia, Malta and the UK.
One of the main purposes of the e-newsletter is to share experiences and establish a dialogue based on the discussions that were started at the 23rd Conference of Commonwealth Auditors General in Delhi. For this edition the conversation is around ‘leveraging technology in public audit’, and it draws on international peers experiences and learnings from conducting cybersecurity audits.
Contact
If you have any thoughts on future technical content which you would like to propose, please contact international@nao.gsi.gov.uk
Performance audit (Auditor-General Report No. 42 of 2016–17)
Published: Wednesday 15 March 2017
Published
The audit objective was to re-assess the three entities' compliance with the 'Top Four' mandatory strategies in the Australian Government Information Security Manual (ISM). The audit also aims to examine the typical challenges faced by entities to achieve and maintain their desired ICT security posture.
Entity
Australian Taxation Office; Department of Human Services; Department of Immigration and Border Protection
Contact
Please direct enquiries relating to reports through our contact page.