The Auditor-General is the external auditor of Victoria's public
sector entities, and has a legislated obligation to provide
independent assurance to the Parliament about the financial status
as well as the efficiency, effectiveness and economy of these
This inaugural report summarises the results of our audits of
public sector entities' ICT general controls as part of the 2013–14
financial audits. This report is the first of its type by VAGO and
aims to provide extra insight and visibility of our ICT-related
audit findings, and also identify wider trends that may not be
covered in the reports we give to an entity's management.
Notwithstanding some deficiencies in ICT controls, VAGO was able
to rely on these controls for financial reporting purposes because
other mitigating controls were identified and tested. Most of ICT
audit findings were medium risk, with none ranked as an extreme
risk. High-risk ICT audit findings are concentrated in a few ICT
general controls categories.
The five themes identified through our ICT audits were:
- ICT security controls need improvement
- management of service organisation assurance activities
- prior-period audit findings are not being addressed in a timely
- patch management processes need improvement
- ICT disaster recovery planning is weak.
In future reports, we will perform detailed maturity assessments
of selected entities' ICT environments and examine some selected
areas of focus, such as identity and access management, software
licensing and wireless network security.