This Appendix contains a list of the entities included in the scope of this report and shows which entities were included in focus area surveys (covering wireless security and the Australian Signals Directorate Top 4 Strategies to Mitigate Targeted Cyber Intrusions) and information technology (IT) control maturity assessments.

Figure C1

Entities selected for this financial systems controls report

Why this report is important

This audit aggregates our information technology (IT) audit findings covering policies, procedures and activities put in place by an entity to ensure the confidentiality, integrity and availability of its IT systems and data. This report also provides decision-makers with information and insights to help them address IT audit findings, improve processes and controls, and enhance accountability across the public sector.

We consulted the Department of Premier & Cabinet and the members of the Chief Information Officers Leadership Group while preparing this report and we have considered their views when forming our findings and drawing our audit conclusions.

As required by section 16(3) of the Audit Act 1994, we provided a copy of this report, or relevant extracts, to the Department of Premier & Cabinet, portfolio departments, the Commissioner for Privacy and Data Protection, and CenITex, and requested their submissions or comments.

The Australian Signals Directorate (ASD) has developed a list of 35 strategies to mitigate targeted cyber intrusions. The list is based on ASD's experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian government agencies.

Wireless networks use radio waves to transmit data to wireless-enabled devices such as laptops, tablets and phones. This wireless technology enables users and systems to remotely access organisational data and resources without being physically connected to a cable in an office. Wireless security aims to prevent unauthorised access to systems using wireless networks.

This Part provides a high-level analysis of the findings from our 2015–16 information technology (IT) general controls audits, analysed by:

When planning a financial audit, our auditing standards require that we understand and evaluate an entity's information technology (IT) environment and any risks arising from this that relate to the reliability of financial reporting.

During the audit we may then test the effectiveness of selected IT controls to determine whether they are operating as the entity's management intended and are effectively mitigating risk.

This report is in its third year and builds on last year's Financial Systems Controls Report: Information Technology 2014–15. In this report we provide a high-level overview of the strength of information technology (IT) controls that operate across a number of entities to protect their financial information.

Ordered to be published

VICTORIAN GOVERNMENT PRINTER November 2016

PP No 218, Session 2014–16