fbpx Information and Communications Technology Controls Guide | Victorian Auditor-General's Office

Information and Communications Technology Controls Guide

The guide is available as a PDF form.

Information and Communications Technology Controls Guide


This guide has been developed to assist organisations with identifying areas for improvement regarding their information and communications technology (ICT) controls. It draws on the work undertaken in ICT controls-based audits across the Victorian public sector. It is designed to promote more robust practices and to enhance the ICT control environments at public sector organisations. ICT controls should form part of each organisations' broader security considerations, which should address both internal and external threats and risks. This guide does not replace the standards and guidelines which Victorian public sector organisations must comply with, but rather it complements them.

Public sector organisations are encouraged to assess their ICT control environments against this better practice guide, and use the results to improve their practices.

Signature of Dr Peter Frost, Acting Auditor-General

Dr Peter Frost
Acting Auditor-General
February 2016

The importance of ICT controls

Public sector organisations increasingly use complex and interconnected ICT systems to deliver services to Victorians, and therefore it is vital that they have effective and appropriate controls in place. A conceptual example is illustrated below.

Illustration of effective agency ICT systems

ICT systems

An ICT system is a collection of computer hardware and programs that work together to support business and operational processes. ICT systems are primarily made up of three core components:

  • Operating system—core programs that run on the ICT hardware that enable other programs to work. Examples of operating systems include Microsoft Windows, Unix and IBM OS/400.
  • Applications—programs that deliver business and operational requirements. Examples of applications include Oracle E-business suite, SAP and TechnologyOne. These components are typically supported by an organisation's network infrastructure.

ICT controls

ICT controls are policies, procedures and activities put in place by an organisation to ensure the confidentiality, integrity and availability of its ICT systems and data.

ICT controls include the establishment and adherence to appropriate structures for managing:

  • organisational governance
  • system security
  • ICT operations and architecture
  • change and release
  • system development and implementation
  • backup and recovery.

The PDF of this guide contains interactive checklists for each of these topics.

Further references and resources

Further guidance on ICT controls and practices is available through resources such as those below: