Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
Performance audit (Auditor-General Report No. 37 of 2015–16)
Published: Thursday 5 May 2016
Published
The audit objective was to assess selected entities’ compliance with the four mandatory ICT security strategies in the Australian Government Information Security Manual (ISM).
Entity
Australian Federal Police (AFP); Australian Transaction Reports and Analysis Centre (AUSTRAC); Department of Agriculture and Water Resources; Department of Industry, Innovation and Science
Contact
Please direct enquiries relating to reports through our contact page.
Insights: Audit lessons
Published: Friday 20 July 2018
Published
This edition of audit insights covers audit reports tabled in Parliament during the fourth quarter of 2017–18 with a focus on the key learnings relating to cyber resilience. Cyber security is an increasing risk across government and one that requires attention by Accountable Authorities.
Contact
Please direct enquiries through our contact page.
About
Updated: Friday 22 July 2022
Updated
Section 41 of the Auditor-General Act 1997 establishes the position of the Independent Auditor. The Independent Auditor report, Review of Cyber Security, was tabled in Parliament on 4 December 2017.
Contact
Please direct enquiries through our contact page.
- In order to mitigate cyber security incidents caused by cyber threats and meet the mandatory requirements of the framework, non-corporate Commonwealth entities must prioritise the implementation and maturity level of their Essential Eight mitigation strategies to strengthen their cyber security posture and manage the evolving threat environment.
- Cyber security contract terms and conditions that associate performance measures and financial consequences for non-compliance can assist with establishing performance expectations.
- Assurance arrangements such as the Cyber Threat Assurance Program approach established by ATO to check on the implementation of mandatory PSPF cyber security requirements can assist with monitoring of compliance against cyber security contract requirements.
- Manage cyber risks systematically, including through assessments of the effectiveness of controls, security awareness training, and adopting a risk-based approach to prioritise improvements to cyber security.
Performance audit (potential)
Potential audit: 2025-26
Potential
This audit would continue the ANAO’s series of audits on cyber security.
The scope would include assessing selected entities’ cyber security frameworks and controls against the controls required under the Protective Security Policy Framework and the Australian Signals Directorate’s Essential Eight Maturity Model.
Entity
Cross Entity
Contact
Please direct enquiries through our contact page.
- In establishing specific risk management frameworks for cyber security, the three audited government business enterprises and corporate Commonwealth entities adopted mitigation strategies and controls from the Australian Government Information Security Manual, despite not being mandated to do so. The Reserve Bank and Australia Post went further and adopted aspects of recognised national and international cyber security frameworks applicable to their industry or regulatory environments.
- Cyber resilience requires more than entities being compliant with relevant risk management frameworks and controls. The Reserve Bank has embedded behaviours and practices within its organisation that contribute to a strong cyber resilience culture. ASC has demonstrated a positive attitude to managing cyber risks and an open approach to continuous improvements to cyber security processes and practices.