Victoria’s auditor-general is concerned at an increase in the number of weak IT controls in the state’s local government sector.
In a new audit of local government books, the office said it had increased its scrutiny of councils’ IT controls, and didn’t like what it found.
“In 2021–22, we increased our use of system assurance auditors. As a result of this shift in audit approach, we found more IT control weaknesses,” the report stated.
Reported weaknesses increased across nearly every measure: access management, policies and procedures, logging and monitoring, backup and recovery, and change management.
Controls addressing just one measure, intrusion detection, improved between 2021 and 2022.
“Poor IT controls increase the risk of unauthorised access, cyber-attacks, fraud, error, data
manipulation and information theft,” the report noted.
The audit rated all of those indicators as medium risk.
The auditor-general also called for councils to adopt the Australian Signals Directorate’s Essential Eight mitigation strategies.
The report said the baseline “makes it much harder for people to compromise systems”, which would “help councils protect customer and sensitive data better.”
In a previous audit, the auditor had highlighted the way Covid-19 work-from-home policies increased risk, with more people accessing sensitive data from remote locations.
IT controls are a challenge for councils all over the country.
Last June, the NSW auditor-general said IT issues continued to be a key area of concern, with 65 councils “yet to implement basic governance and internal controls to manage cyber security”.
In response, the NSW Office of Local Government released cyber security guidelines for councils in December.
Queensland was similarly critical in an audit released in May 2022.
“This year, our audits identified 67 new internal control deficiencies with respect to councils’ information systems,” the state’s auditor said.
“These are in addition to the 28 information systems internal control deficiencies that are unresolved from previous years.
“The most common weaknesses in information systems controls were in relation to incorrect levels of system access assigned to staff”.