Financial issues hinder information security in government agencies, ANAO says

By Tom Ravlic

Thursday June 17, 2021

An interim revealed a range of information security issues in government agencies. (Adobe/ Monkey Business)

An interim report into the key financial controls of 25 entities revealed a range of information security issues, writes Tom Ravlic.

Everyone is aware cyber security is a very serious issue. The amount of media and social media coverage given to various denials of service attacks, espionage attempts, and the manner in which crooks and bad state actors have sought to use steal money and secrets is testament to that.

Government agencies need to comply with particular information and technology protocols to assist with protecting them from prying digital fingers, but a recent Australian National Audit Office report says that agencies it had reviewed had, well, slacked off just a tad.

Sale ends Midnight

$̶4̶4̶0̶ $220. Our best offer

The interim report into the key financial controls of 25 entities revealed a range of information security issues had bobbed up within the departments and agencies looked at by ANAO’s audit foot soldiers.

The ANAO highlighted 60 issues in its report on key financial controls, with 32 being related to information technology and data security.

Relevant guidelines have been in place for around at least seven – going on eight – years, and folks appear to be unable to get their act together.

“The [Protective Security Policy Framework] cyber security requirements have been in place since 2013. Entities’ inability to meet these requirements indicates a weakness in implementing and maintaining strong cyber security controls over time,” the report observes.

“Previous audits of cyber security by the ANAO to assess the entities’ implementation of PSPF cyber security requirements have not found an improvement in the level of compliance with the controls over time. The work undertaken as part of this review indicates that this pattern continues, with limited improvements.”

Government entities are not the only ones to have had problems with their information systems and security. Consider the work done by the Australian Competition and Consumer Commission on scams. The ACCC’s most recent report on its scam-sleuthing efforts points out that $851 million was lost to scams in 2020.

Investment scams were the source of $328 million worth of losses, people looking for love had $131 million taken from them, and business e-mail-compromise scams cost unaware companies $128 million.

There is every chance that the number is even larger given the figures aggregate the dollars pinched from punters mentioned in more than 444,000 reports to different agencies, including the ACCC.

Take a second look at the figure attributed to business e-mail-compromise scams, which are scams in which bad actors seek to impersonate a senior executive or manager in order to convince a staffer to transfer funds to what they might believe is a legitimate account.

A staff member in these circumstances could unwittingly be aiding fraud if they are not careful and check the instructions with the person who had purportedly sent them an e-mail.

These are merely two examples of what businesses and governments are facing when it comes to grappling with digital thieves or state-based bad actors wanting to ‘jimmy open’ an entity’s firewall to steal secrets and commit financial crime.

Heightened tensions about how the information pathways online are used by bad guys also is part of the reason why the Auditing and Assurance Standards Board has issued a 14-page bulletin looking at what auditors should be considering when auditing information systems as a part of the financial statement audit.

The bulletin, which is freely accessible online on the AUASB website, takes a dive into the auditing standards and points out what is relevant in the context of assessing how robust information systems are in the current environment.

It makes clear that an auditor should not just review systems because the client tells them a cyber attack has taken place or money has been nicked because a crook has managed to outwit the management of an entity.

Cyber security should be considered in a financial statements audit, so that an audit team understands what system an entity runs, how the system operates, and which aspects of the I.T. directly impacts the getting of a financial report that can be relied upon.

A bulletin on cyber security having been issued by the auditing and assurance standard setter demonstrates initiative, but it also points to something else that needs greater consideration within audit and accounting regulation.

This bulletin is a ‘stop gap’ measure that enables auditors to reflect on what they are able to do in the context of reviewing a client’s systems for online security, but it is not a standard in its own right.

Bulletins enable a timely response to market demands, but they are also evidence that at times the international audit standard setting regime Australia relies on for the ‘meat and potatoes’ of its auditing standards moves slowly.

A domestic standard setter such as the AUASB needs to be able to be sufficiently agile to fill gaps in guidance while it waits for international bodies to modernise a globally recognised framework for audit.

Global standard setters do catch up eventually but that is not sufficient when crooks are becoming more sophisticated by the day and are leveraging technologies for their own dark purposes.


Australia’s most important government agencies refuse to secure their IT systems

Sale ends Midnight. Save 50%

For two weeks only, we’re making all our Premium content completely free. Sample then subscribe to Premium with our best offer and save 50% ($220). 

Offer ends midnight 2 August 2021. 50% discount available on an annual subscription only.

Chris Johnson
Managing Editor

Subscribe today
About the author
Inline Feedbacks
View all comments

The essential resource for effective
public sector professionals