This report summarises the results of our audits of 45 public
sector entities' IT controls performed in support of VAGO's 2014–15
financial audits. This report is in its second year and builds on
the inaugural ICT controls report 2014–15 to provide additional
insight and increase visibility of our IT audit findings. It
also summarises reviews undertaken over two areas—identity &
access management (IDAM) and software licensing practices.
Sixty-five key financial IT applications and their
infrastructure were audited, with 462 associated audit findings
used as the basis for this report’s analysis.
Most IT audit findings identified were rated medium and high
risk, with one audit finding rated as an extreme risk. Along with
the specific IT audit findings, this report draws out the following
three clear emerging themes:
- management of controls at outsourced IT environments requires
- use of IT systems that are no longer supported or at their
- IT security controls need improvement.
Notwithstanding some deficiencies in IT controls, VAGO was able
to rely on these controls for financial reporting purposes because
other mitigating controls were identified and tested.