Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
About
Updated: Friday 22 July 2022
Updated
Section 41 of the Auditor-General Act 1997 establishes the position of the Independent Auditor. The Independent Auditor report, Review of Cyber Security, was tabled in Parliament on 4 December 2017.
Contact
Please direct enquiries through our contact page.
- In order to mitigate cyber security incidents caused by cyber threats and meet the mandatory requirements of the framework, non-corporate Commonwealth entities must prioritise the implementation and maturity level of their Essential Eight mitigation strategies to strengthen their cyber security posture and manage the evolving threat environment.
- Cyber security contract terms and conditions that associate performance measures and financial consequences for non-compliance can assist with establishing performance expectations.
- Assurance arrangements such as the Cyber Threat Assurance Program approach established by ATO to check on the implementation of mandatory PSPF cyber security requirements can assist with monitoring of compliance against cyber security contract requirements.
Performance audit (potential)
New
Potential audit: 2025-26
Potential
This audit would continue the ANAO’s series of audits on cyber security.
The scope would include assessing selected entities’ cyber security frameworks and controls against the controls required under the Protective Security Policy Framework and the Australian Signals Directorate’s Essential Eight Maturity Model.
Entity
Cross Entity
Contact
Please direct enquiries through our contact page.
- Manage cyber risks systematically, including through assessments of the effectiveness of controls, security awareness training, and adopting a risk-based approach to prioritise improvements to cyber security.
- In establishing specific risk management frameworks for cyber security, the three audited government business enterprises and corporate Commonwealth entities adopted mitigation strategies and controls from the Australian Government Information Security Manual, despite not being mandated to do so. The Reserve Bank and Australia Post went further and adopted aspects of recognised national and international cyber security frameworks applicable to their industry or regulatory environments.
- Cyber resilience requires more than entities being compliant with relevant risk management frameworks and controls. The Reserve Bank has embedded behaviours and practices within its organisation that contribute to a strong cyber resilience culture. ASC has demonstrated a positive attitude to managing cyber risks and an open approach to continuous improvements to cyber security processes and practices.
- Independent timely reporting on the implementation of the cyber policy framework supports public accountability by providing an evidence base for the Parliament to hold the executive government and individual entities to account. The extent of public reporting should be appropriately balanced with the need to manage cyber security risks where adversaries could use published information about cyber vulnerabilities to more effectively target malicious activities. Strong accountability arrangements within government are required in the absence of public accountability through the Parliament.
- Where controls required within a cyber security framework are not being met, entities such as the Reserve Bank and ASC have undertaken a risk assessment to develop mitigating controls, which have proven effective in meeting the intent of the specified controls. Entities can draw on expertise in the Australian Government (such as the Australian Cyber Security Centre) and the private sector for assistance in strengthening cyber security controls.