Australia’s national auditor is considering an audit into the development of the federal government’s GovPass digital identity system as the now $450 million-plus project enters its sixth year.
The Australian National Audit Office has also singled out the government’s COVIDSafe contact tracing app for review, including whether its design and use is both economical and effective.
In its draft annual work program for 2021-22, released on Thursday, the auditor proposed 16 reviews aimed at government IT, cyber security, privacy and data over the next 12 months.
One of the potential areas for review is the GovPass digital identify system, which the ANAO has hand-picked following the government’s $256.6 million investment in last year’s budget.
The new funding – which more than doubled the government’s previous investment in the project's first five years – is intended to accelerate development and prepare for an economy-wide rollout.
The ANAO said the audit would “review the progress of the implementation, design and functionality of the system”, as well as “allocation and expenditure of funding, including contract management”.
It will also look at the “roles and responsibilities of stakeholders”, including the Digital Transformation Agency which oversees the trusted digital identity framework, and the Department of Home Affairs.
The Department of Social Services, namely the DTA, and the Department of Home Affairs also face a potential audit for their role in the development of the COVIDSafe contact tracing app.
The app, which was likened to ‘sunscreen’ by Prime Minister Scott Morrison when it launched in April 2020, was intended to support the manual contact tracing process by health officials.
But more than a year on, only 17 unique close contacts – all of which were in NSW – have been identified using the app, despite more than 7 million downloads.
At the same time, the app cost $6.7 million to develop, after entering a “business-as-usual state”, will cost at least $100,000 – and as much as $300,000 – a month on an ongoing basis.
The ANAO said the “audit would assess how economically and effectively the COVIDSafe app was designed and is being used”, including the procurement process and “how it has been promoted”.
The auditor noted that the inquiry probing the government's Covid-19 response had found the “app launched with significant performance issued and only been of limited effectiveness in its primary function”.
“The committee recommended the Australian Government commission an independent review into expenditure on, and design of, the COVIDSafe app. The government is yet to respond to this recommendation,” the ANAO added.
The government’s protracted exit from Global Switch’s Ultimo data centre also faces a potential audit after a number of government agencies failed to leave the facility by the end of last year.
Agencies, including the Australian Taxation Office and Home Affairs, are currently in the process of migrating from the Chinese-owned facility by July 2022.
But the Department of Defence is not expected to leave until 2024-25, having recently renewed its contract at a cost of $53.5 million, as revealed by iTnews earlier this year.
The ANAO said the Foreign Investment Review Board’s (FIRB's) decision to approve the sale of a 51 percent stake of the company to Elegant Jubilee in 2016 could form the basis of the review.
Any audit would likely look at the “risk management processes prior to the 2016 FIRB approval”, as well as the “risk assessments for new alternative arrangements”.
The audit could also look more broadly at the “government decision (in 2008) to outsource government data storage and hosting to the private sector”.
The ANAO added that “about 40 petabytes of data up to secret level” still resides in the data centre, though Defence and Home Affairs have both previously denied that this belongs to them.
Many of the cyber security audits planned for this financial year look set to be pushed back to 2021-22, including one titled the ‘management of cyber security’.
The audit would involve “comparing the entities’ cyber security framework and controls against the mandatory controls required under the… Australian Signals Directorate’s Essential Eight”.
Another audit could also “assess the effectiveness of commercial entities complying with relevant government cyber security requirements”, the ANAO said.
The ANAO is also considering a wider review of the government’s Protective Security Policy Framework, which was revised by the Attorney-General’s Department (AGD) in late 2018.
AGD has already flagged stricter cyber security accountability mechanisms for agencies after 73 percent reported either ‘ad hoc’ or ‘developing’ levels of maturity with ASD's mandatory Top Four cyber mitigation strategies in 2018-19.
Other potential audits slated for 2021-22 include:
- The ATO’s governance arrangements and associated frameworks, process and practices for the effective, efficient and compliant use of data, initially slated for 2020-21
- Services Australia’s collection, verification, recording and exchange of customer information and data through Centrelink, Medicare and Child Support
- The effectiveness of the ATO’s project management of the modernising business registers project, which will consolidate Australia’s 32 business registers onto a single platform
- Services Australia’s customer experience transformation, including how customer insights, experience and feedback is applied in human centred design processes
- NBN Co’s transition from building to operating the NBN following the completion of its ‘volume rollout’
- The effectiveness of Defence’s management of information assets, including records, information and data
- Home Affairs’ planning and approach to ensuring resilience and security of critical infrastructure under the critical infrastructure resilience strategy
- The effectiveness of the Data Integration Partnership for Australia (DIPA) implementation and how it has been used to improve public policy and administration