Agencies face fresh audit blitz after wave of tech wrecks

Spring might only be weeks away, but in Canberra the government's central scrutinizer is gearing up for a tech clean-up with a slew of audits dominating the public sector's IT capabilities in the latest list tranche of reviews for the next 12 months.

The Australian National Audit Office (ANAO) this week revealed its highly anticipated annual work program of potential reviews, with no less than 14 zeroing in on IT, cyber security and privacy.

The tech probity probes follow one of the worst years for high-profile IT blunders during 2018, despite the Digital Transformation Agency’s best efforts to stop projects from boiling over.

The scope of potential audits range from scrutiny of central technology policy and processes to targeted inspections of individual IT projects at a number of central agencies.

The approval and oversight of major IT projects, particularly “projects with long-term delivery schedules”, is one such area that will fall under the microscope.

“Previous performance audits have found that entities have not established appropriate governance and oversight arrangements to support the delivery of project outcomes on time and on budget,” the ANAO said.

“In particular, outcomes may be compromised by a lack of competition in tendering processes, scope creep and passive contract management.”

Governance and oversight failures were spotlit in the two biggest federal government tech wrecks last year: the national biometric database and the Australian apprenticeship IT system

In the case of the national biometric database, the ANAO described the Australian Criminal Intelligence Commission's handling of the project as “deficient in almost every significant respect” following procurement.

The cross-portfolio audit would look at the procurement process, including how agencies manage contracts and maintain value for money after government approval.

Another potential audit that is likely to have government-wide ramifications will examine the government’s collective buying power for purchasing cloud services.

It would be particularly timely given last week’s $39 million three-year volume sourcing agreement with hyperscale cloud provider Amazon Web Services.

The review would likely look at the “security, privacy and financial and legal implications” of acquiring cloud solutions through channels like the Digital Transformation Agency cloud service panel.

Infosec focus to continue

Following a series of adverse findings relating to the cyber resilience of agencies over the past two years, the ANAO will again use its work program this year to examine infosec controls.

The audits are crucial for keeping agencies in check given the government’s peak cyber security agency, the Australian Signals Directorate, has no responsibility for conducting ‘spot checks’.

The ANAO has proposed conducting another review of the cyber resilience of non-corporate Commonwealth entities, though it has not disclosed which agencies will be targeted.

The audit would involve assessing cyber security controls and comparing them against ASD’s top four cyber mitigations strategies, which are considered the federal government’s minimum cyber security requirements.

The last audit of this kind found Geoscience Australia had failed to implement any of the strategies, though it is working to address this.

The ANAO could also scrutinise how the newly forged Services Australia is “balanc[ing] the collection, storage and sharing of customer data with the appropriate protection of customer privacy”.

“As a result of Services Australia’s responsibility for delivering Medicare, Centrelink, pension payments and other services, it holds data relating to most Australians,” the auditor said.

“Maintaining confidence in the department’s ability to protect the private information of customers is a key risk that requires active and ongoing management.”

IT projects

Despite the large number of audits aimed at central IT policy areas, the laundry list of potential  reviews is overwhelmingly weighted toward IT projects within a number of key agencies.

One audit would look into the Department of Defence’s governance and management of its IT environment and major IT projects.

“The audit would assess Defence’s management of ICT issues at the whole-of-Defence, Chief Information Officer Group and project levels,” the ANAO said.

The Department of Veterans’ Affairs’ multi-year IT reform project known as the veteran centric reforms program is another project that could fall within the auditors’ crosshairs.

The program, which has already deployed a new self-service platform dubbed MyService, aims to improve services for veterans by streamlining DVA’s complex network of systems and replacing outdated manual processes.

The Department of Home Affairs’ controversial procurement of a new externally operated visa processing system, which will be paid for using a service fee from each temporary visa issued, could similarly be reviewed.

Other potential audits slated for 2019-20 include:

• The Australian Bureau of Statistics’ planning for the 2021 Census after a review of the high-profile 2016 eCensus debacle found the risk of a DDoS attack had been underestimated
• The Department of Prime Minister and Cabinet’s implementation of the government's 2015 public data policy statement and how selected entities are complying with data-sharing requirements
• Strategies in place from NBN Co to manage its transition from building to operating the NBN
• The Department of Communications and the Arts’ management of the $297 million universal service obligation with Telstra
• The Department of Health’s procurement of a privileged access management solution to boost its compliance with the essential eight security controls
• The Department of Foreign Affairs and Trade’s implementation of its 2017-19 business technology strategy
• Services Australia’s administration of proof identity requirements for granting access to welfare payments and other services