The Victorian Auditor-General's Annual Plan 2016–17 was prepared pursuant to the requirements of section 7A of the Audit Act 1994, and tabled in the Victorian Parliament on 8 June 2016.
VAGO's renewed focus on information and communications technology (ICT) led to the establishment of the Information Systems Audit (ISA) team in 2013–14. The dedicated effort in this area reflects the Victorian Government's significant ICT expenditure, which the April 2015 audit Digital Dashboard: Status Review of Major ICT Projects and Initiatives – Phase 1 found was more than $3 billion per annum.
In 2016–17, we plan to deliver four reports—three performance audit reports and one financial systems controls report—focused on information systems.
From time to time, we may introduce new topics into the program to accommodate
high-priority ICT issues that emerge. We will provide advance notice to audited agencies and the Public Accounts and Estimates Committee (PAEC) of any proposed new performance audit topics.
Our ISA team performs ICT-related performance audits in its own right and works closely with the financial audit teams to review information systems and controls as part of financial audits. We also provide expertise in data mining and analysis, and technical ICT-related advice to performance audit teams.
The two ongoing audit reports produced by our ISA team are:
This section sets out our ISA audit program for 2016–17 and 2017–18. For each audit listed, the audit scope is determined after detailed planning and consultation with PAEC and relevant departments and agencies.
Each proposed audit also indicates the agencies we plan to include in our audits. Sometimes the Auditor-General may add or remove an authority from an audit. This plan provides an indication of our intentions at this stage.
This section sets out proposed specifications for our 2016–17 and 2017–18 ICT performance audits. For each audit listed, we outline an objective for the audit and the issues we intend to examine.
Objective To examine the effectiveness of ICT strategic planning in the public health sector.
Issues Despite several billion dollars in annual investment, the public sector does not have a good track record for planning and implementing ICT initiatives. Strategic planning for public sector ICT projects is often characterised by a reactive 'internal' view of service demand—and this view is being fundamentally challenged and sometimes overwhelmed by the emerging technology landscape.
This audit will examine the effectiveness of government's Health ICT strategic planning in ensuring significant public resources are being effectively and efficiently invested, particularly on clinical ICT systems. It will also consider the effectiveness of government's Health ICT strategic planning in responding to challenges brought about by the advancement of technology.
Proposed agencies The Department of Premier & Cabinet, the Department of Health & Human Services, and selected health services.
Objective To assess the effectiveness of ICT security policies, procedures and practices for hospital patient systems and data.
Issues Public sector entities, including those in the health sector, are increasingly reliant on ICT to deliver services. ICT environments are, however, being threatened more frequently by security risks of increasing scale and sophistication.
This audit will examine whether hospitals have rigorous security policies, procedures and practices in place over patient systems and data, to ensure that patients' privacy is maintained and that data remains accurate and available to authorised persons when needed.
Proposed agencies The Department of Health & Human Services and selected public hospitals.
Objective To assess whether security risks to the critical ICT management systems that operate and control train infrastructure are managed effectively.
Issues Victoria's train infrastructure relies on ICT management systems to operate and control train power and signalling systems. Any malfunction of such systems, be it deliberate or unintentional, can disrupt essential services with potentially catastrophic consequences for the state.
This audit will examine whether the governance arrangements, processes and controls in place effectively manage the security risks that may impact the train network's infrastructure control systems.
This audit will also determine the extent to which transport agencies have implemented recommendations raised in our 2010–11 audit Security of Infrastructure Control Systems for Water and Transport.
Proposed agencies The Department of Economic Development, Jobs, Transport & Resources, Public Transport Victoria, V/Line, Victorian Rail Track Corporation, Emergency Management Victoria and Victoria Police.
Objective To assess the effectiveness of the Department of Premier & Cabinet's oversight and reporting of relevant Victorian Government ICT expenditure and project information.
Issues As reported in the April 2015 audit Digital Dashboard: Status Review of ICT Projects and Initiatives – Phase 1, determining the status and outcomes of public sector ICT initiatives is currently difficult. Despite significant expenditure in ICT, most agencies and entities provide little, if any, public information specifying their activities and spend. This lack of transparency makes it difficult to determine whether ICT investments have enhanced government services and whether public resources have been spent in an efficient, effective and economical way.
Phase 1 of this audit recommended that the Victorian Government increase its level of transparency around ICT expenditure and the status of ICT projects. This audit will assess how reporting of relevant Victorian Government ICT expenditure and project information has progressed since 2015.
Proposed agencies The Department of Premier & Cabinet and selected agencies.
Objective To assess the effectiveness of ICT disaster recovery planning in ensuring departments' and agencies' systems and data can be appropriately recovered in the event of a disaster.
Issues Disaster recovery planning is the ability of departments and agencies to recover their critical IT systems and data in a complete and timely manner in the event of a disaster at a primary data centre. If public sector entities—or their IT service providers—are unable to react and respond appropriately, a disaster could interrupt the entity's delivery of services to the community and could cause reputational damage to the state and the entities involved.
As reported in the October 2015 Financial Systems Controls Report: Information Technology 2014–15, disaster recovery planning continues to be a significant concern, particularly where a number of departments and agencies are dependent on a limited number of IT managed service providers.
This audit will focus on disaster recovery frameworks, processes and plans to ensure selected departments and agencies are prepared to continue service provision in the event of a disaster at a primary data centre.
Proposed agencies CenITex (selected departments and agencies), Victoria Police, the Department of Education & Training, and the Department of Health & Human Services (HealthSMART).
Objective To examine the effectiveness of ICT security and privacy policies, procedures and practices concerning surveillance technologies.
Issues The use of public surveillance technologies such as closed-circuit television (CCTV) and automatic number plate recognition by government agencies is widespread. While potentially beneficial for safety reasons, security and privacy concerns have continued to follow government's extensive use of these technologies. This proposed performance audit aims to provide assurance that the use of public surveillance technologies is:
Proposed agencies The Department of Health & Human Services, Victoria Police, VicRoads, Public Transport Victoria and selected local government councils.
The annual financial systems controls report will summarise the results of the previous cycle of financial audits in addition to the results of examination of selected areas of focus. Work performed in relation to the selected areas of focus will cover both financial and operational ICT systems and processes implemented by agencies.
Figure 8 summarises the financial systems controls report areas of focus to be examined and reported on for 2016–17 and 2017–18. Each area of focus is discussed in more detail below.
Figure 8: Financial systems controls report areas of focus 2016–17 and 2017–18
Areas of focus 2016–17
Areas of focus 2017–18
IT general controls maturity
IT general controls maturity
Wireless network security
Implementation of 'Top 4' cyber-intrusion mitigation strategies
In planning a financial audit, we undertake information technology (IT) general controls work to understand and evaluate an entity's IT environment and risks related to the reliability of financial reporting.
We will use the results of our IT general controls work performed as part of the previous cycle of financial audits, along with supporting procedures and reference to better practice maturity frameworks, to report on departments' and selected agencies' IT general controls maturity in the following areas:
Wireless networks enable users and systems to remotely access organisational data and resources without the need to be located within a trusted physical area, such as an office. Wireless security aims to prevent unauthorised access to systems using wireless networks. We will review the policies, procedures and established wireless network controls within departments and selected agencies, and assess them against better practice guidelines.
In accordance with the Victorian Information Security Management Framework, inner whole-of-Victorian-Government (WoVG) agencies are required to implement the Australian Signals Directorate's (ASD) 'Top 4' strategies to mitigate targeted cyber intrusions. The 'Top 4' strategies are:
We will review the policies, procedures and established controls implemented by selected inner WoVG agencies in relation to the ASD's 'Top 4' strategies.
Data classification strategies provide an organisation with a consistent approach for categorising, managing and storing data and information. Data classification typically includes reviewing and categorising data and information based on its nature and sensitivity. The Commissioner for Privacy and Data Protection has published the Victorian Protective Data Security Standards in November 2015, to better guide government entities in applying good practice processes.
We will review the policies, procedures and established data classification controls within departments and selected agencies against better practice guides and regulatory requirements, such as the Commissioner for Privacy and Data Protection's data security standards.
According to the Australian Government Information Security Manual, managing vulnerability can help ensure that any new vulnerabilities are consistently addressed in a timely manner and that security is maintained through unforeseen events and changes. Measures to monitor and manage vulnerabilities can provide agencies with information about their level of exposure, to help them better identify, prioritise and respond to security threats. Vulnerability management activities also feed into an agency's wider risk management process, to ensure the overall confidentiality, integrity and availability of the IT environment and systems.
We will review the policies, procedures and established vulnerability management controls implemented within departments and selected agencies against better practice guides.