We used data from our annual performance measure dashboard to look at departments’ service delivery performance between 2020–21 and 2024–25. 

We looked at 282 performance measures in 34 outputs. From this selection, 101 measures did not have data for every year between 2020–21 to 2024–25.

Of the measures with data, departments met their targets every year in 28.2 per cent of performance measures. They missed their targets by a significant margin every year in 11.0 per cent of performance measures.

Covered in this section:

We looked at departments' service delivery performance in 2024–25.

Departments had 1,299 performance measures in 2024–25. Departments met 65.2 per cent of their targets, but missed 23.2 per cent by a significant margin.

Operational factors, resource constraints and low service uptake or demand are the most common reasons departments gave for missing their targets by a significant margin.

Covered in this section:

What we examined

Our review followed one line of inquiry:

1. Have departments met their service delivery performance targets?

To answer these questions, we examined performance statements and annual reports between 2020–21 and 2024–25 for the:

Download a PDF copy of Appendix D: VAGO's maturity model for server security.

Download a PDF copy of Appendix C: Audit scope and method.

Download a PDF copy of Appendix B: Abbreviations, acronyms and glossary.

Download a PDF copy of Appendix A: Submissions and comments.

All agencies can improve the technical security controls applied to their known servers.

Based on our assessment against established industry benchmarks, the maturity level of technical security controls applied by all agencies to their known servers is low. 

Most known servers are running operating systems that are not receiving mainstream support. 

These factors increase the risk that agencies will not detect server vulnerabilities.

No audited agency has a complete and accurate server inventory. 

Automated asset discovery tools used by agencies do not capture all servers, and few agencies use reconciliations to crosscheck their server inventory. All agencies provided us with server inventory information that had either incomplete or duplicate entries.

If agencies are not accurately tracking all their servers, they do not have all the information they need to protect their IT infrastructure.

Covered in this section:

We made 3 recommendations to address our findings. The relevant agencies have accepted the recommendations in full or in principle.