Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
- Independent timely reporting on the implementation of the cyber policy framework supports public accountability by providing an evidence base for the Parliament to hold the executive government and individual entities to account. The extent of public reporting should be appropriately balanced with the need to manage cyber security risks where adversaries could use published information about cyber vulnerabilities to more effectively target malicious activities. Strong accountability arrangements within government are required in the absence of public accountability through the Parliament.
- Where controls required within a cyber security framework are not being met, entities such as the Reserve Bank and ASC have undertaken a risk assessment to develop mitigating controls, which have proven effective in meeting the intent of the specified controls. Entities can draw on expertise in the Australian Government (such as the Australian Cyber Security Centre) and the private sector for assistance in strengthening cyber security controls.
- Self-assess the Top Four cyber security risk mitigation strategies of the Protective Security Policy Framework using a controls-based approach. If the self-assessment is non-compliance, make the necessary investments and changes to become compliant.
- The effective implementation of cyber security mitigation strategies is underpinned by the identification of assets and risk assessments to identify the level of protection required from cyber threats.
- To meet the mandatory PSPF requirements of mitigating common and emerging cyber threats, it is important for entities to have effective risk management practices for cyber security. This includes conducting assessments of the effectiveness of security controls, security awareness training, and adopting a risk-based approach to prioritise improvements to cyber security.
Performance audit (Auditor-General Report No. 33 of 2010–11)
Published: Wednesday 23 March 2011
Published
The objective of the audit was to assess the effectiveness of Australian Government agencies' management and implementation of measures to protect and secure their electronic information, in accordance with Australian Government protective security requirements.
Entity
Across agencies
Performance audit (Auditor-General Report No. 18 of 2011–12)
Published: Tuesday 20 December 2011
Published
The objective of the audit was to assess the effectiveness of the management of risks arising from the use of PSDs in selected Australian Government agencies. The PSDs included within the scope of this audit were: USB flash drives; CDs and DVDs; external hard drives; laptop computers and smartphones.
Entity
Across agencies
- As Australia’s cyber security regulatory landscape evolves and reforms, it is important for an entity to consider how their legal function will support their governance committees during the external reporting process to manage increasing scrutiny and liability risks following a significant or reportable cyber security incident.
Performance audit (Auditor-General Report No. 30 of 2013–14)
Published: Wednesday 7 May 2014
Published
The audit objective was to assess the effectiveness of the Therapeutic Goods Administration’s (TGA) application of the Code of Good Manufacturing Practice (Code of GMP) for prescription medicines.
Entity
Department of Health
Contact
Please direct enquiries relating to reports through our contact page.
Performance audit (Auditor-General Report No. 49 of 2013–14)
Published: Tuesday 24 June 2014
Published
The audit objective was to assess the effectiveness of physical security arrangements in selected Australian Government agencies, including whether applicable Australian Government requirements are being met.
Entity
Australian Crime Commission, Geoscience Australia, Royal Australian Mint
Contact
Please direct enquiries relating to reports through our contact page.