Good records management is the foundation of government accountability. In Victoria, accountability is enshrined in the Public Administration Act 2004, which requires public servants to submit themselves to appropriate scrutiny. This typically includes scrutiny of the records they make or receive in the course of their duties. These records are known as 'public records'.

Well-managed public records enable governments to make informed decisions, to deliver services, and to demonstrate performance, transparency and accountability.

Ordered to be published

VICTORIAN GOVERNMENT PRINTER MARCH 2017

PP No 249, Session 2014–17

This Appendix provides information about recent major changes within the public sector in relation to information technology (IT).

This Appendix shows our maturity assessment scores by information technology (IT) general controls category for the selected 38 entities by sector. The overall maturity assessment score is derived by averaging the aggregated maturity scores of the entities, as listed in Appendix C.

Ratings for audit findings reflect our assessment of both the likelihood and consequence of each identified issue in terms of its impact on:

• the effectiveness and efficiency of operations, including probity, propriety and compliance with applicable laws
• the reliability, accuracy and timeliness of financial reporting.

The ratings also assist management to prioritise remedial action.

Figure D1

Rating definitions and management action

This Appendix contains a list of the entities included in the scope of this report and shows which entities were included in focus area surveys (covering wireless security and the Australian Signals Directorate Top 4 Strategies to Mitigate Targeted Cyber Intrusions) and information technology (IT) control maturity assessments.

Figure C1

Entities selected for this financial systems controls report

Why this report is important

This audit aggregates our information technology (IT) audit findings covering policies, procedures and activities put in place by an entity to ensure the confidentiality, integrity and availability of its IT systems and data. This report also provides decision-makers with information and insights to help them address IT audit findings, improve processes and controls, and enhance accountability across the public sector.

We consulted the Department of Premier & Cabinet and the members of the Chief Information Officers Leadership Group while preparing this report and we have considered their views when forming our findings and drawing our audit conclusions.

As required by section 16(3) of the Audit Act 1994, we provided a copy of this report, or relevant extracts, to the Department of Premier & Cabinet, portfolio departments, the Commissioner for Privacy and Data Protection, and CenITex, and requested their submissions or comments.

The Australian Signals Directorate (ASD) has developed a list of 35 strategies to mitigate targeted cyber intrusions. The list is based on ASD's experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian government agencies.