Audits alone won't solve govt cyber woes: ANAO

National auditor-general Grant Hehir has questioned a proposal that would see his office review the cyber security of federal government agencies on an annual basis while internal assurance mechanisms and incentives are missing.

In December, a parliamentary committee recommended the ANAO conduct five years of annual assurance reviews into the cyber resilience of both corporate and non-corporate Commonwealth (NCCEs) entities.

The review would examine compliance with the Essential Eight, one of 16 core requirements that agencies self-assess against under the protective security policy framework (PSPF), after existing accountability mechanisms were found to be “limited”.

Numerous audits conducted by the ANAO support this finding, with the most recent review noting that “previous audits of cyber security… have not found an improvement in the level of compliance with the controls over time”.

But in responding to the recommendation this week, Hehir said that while he supports increased transparency around compliance with the PSPF and particularly cyber security, audits alone were not the answer.

“The ANAO does not see an audit of the type suggested in the recommendations as the most effective way of achieving this outcome,” he said in a document [pdf] released by the committee on Monday.

“The ANAO has undertaken six performance audits of cyber security since the mandatory requirements came into effect in 2013. ANAO audits continue to find low compliance with cyber security requirements.”

Of particular concern to Hehir is the absence of “internal assurance mechanism[s] to assess the effectiveness of the [PSPF’s] implementation by entities”, and a lack of “sufficient incentives or disincentives to drive improvements in performance”.

“It is clear that auditing and reporting alone is not driving improvement in compliance with the government’s cyber security policy. [Commonwealth entities] have not been held to account for not meeting the mandatory cyber security requirements under PSPF policy 10,” Hehir said.

“The current framework to support responsible ministers in holding entities accountable within government is not sufficient to drive improvement of mandatory requirements.”

Hehir has asked that any future audit program by the ANAO precede the Attorney-General’s Department strengthening assurance arrangements to ensure “PSPF policy 10 self-assessments” are accurate.

The department gave an in-principle agreement to do so after the ANAO recommended such action in a March audit, which found the Department of the Prime Minister and Cabinet had incorrectly self-assessed as fully compliant with one mandatory Top Four control.

Hehir said that providing assurance on a report compiled by the Attorney-General's Department (AGD) that assesses the accuracy of the information being provided by the entities (in a similar way to Defence’s major projects report) would be “more efficient and effective”.

“Should AGD implement such assurance arrangements, the ANAO considers that the auditing of assurance of the policy would have merit given the poor performance of the sector over many years in both implementation of the policy and accurate reporting of implementation,” Hehir said.

“The extent of coverage of such an approach would take account of AGD’s work to verify reporting.

"The extent of reporting of such an audit would also be cognisant of potential risk within the sector as advised by the Australian Signals Directorate (ASD).”

In addition to ASD concerns, Hehir also noted a number of other practical challenges to auditing, including the number of agencies in scope, with even a partial audit looking at 40 of the 98 NCCEs [Commonwealth entities] to be costly and resource intensive.

“The cost to proceed with either of these approaches on a reasonable sample or total population is very high. A team of appropriate size and capability to undertake the scale and effort of the work is not currently available to the ANAO,” he said.

In response to the same parliamentary committee report into cyber resilience, the AGD last month recommended that the government mandate the Essential Eight for all NCCEs after endorsement by the government security committee.

A number of changes were made to the Essential Eight this month following a thorough review, including the reintroduction of a ‘maturity level zero’ rating to ensure “data points” are not lost during self-assessments.