ANAO: Auditing not driving improvements in Commonwealth cybersecurity adherence
Audit Office said non-corporate Commonwealth entities have not been held to account for not meeting mandatory cybersecurity requirements under the Protective Security Policy Framework, specifically the mandate to safeguard information from cyber threats.
The Australian National Audit Office (ANAO) has said it considered continued transparency through reporting to Parliament where cybersecurity risk is concerned to be a positive, but it remained concerned that this may not be enough to drive improvement.
In documentation [PDF] prepared for the Joint Committee of Public Accounts and Audit (JCPAA), ANAO said it was clear that auditing and reporting alone has not driven improvement in compliance with the government's cybersecurity policy.
"Non-corporate Commonwealth entities have not been held to account for not meeting the mandatory cybersecurity requirements under PSPF Policy 10," it wrote, in reference to the Protective Security Policy Framework (PSPF) Policy 10, which is centred on safeguarding information from cyber threats.
"The current framework to support responsible ministers in holding entities accountable within government is not sufficient to drive improvements in the implementation of mandatory requirements."
The JCPAA last year reviewed a pair of reports from ANAO and handed down a number of recommendations in its own report published in December. One of the recommendations asked ANAO to consider conducting an annual limited assurance review into the cyber resilience of Commonwealth entities.
"The review should examine and report on the extent to which entities have embedded a cyber resilience culture through alignment with the ANAO's framework of 13 behaviours and practices," JCPAA asked. "The review should also examine the compliance of corporate and non-corporate entities with the Essential Eight mitigation strategies in the Information Security Manual and be conducted for five years, commencing from June 2022."
ANAO said implementing the recommendation has posed a number of practical challenges from an audit perspective, with the first being it considers there to likely be cybersecurity risk concerns raised by ASD.
"ASD has advised that a system-level report would pose cyber risks that it believes would be unacceptable. Given ASD is the technical expert, it is best placed to assess those risks and therefore difficult for the ANAO to take a different view," it said.
ANAO also considers the scope proposed in the recommendation as challenging, given that only non-corporate Commonwealth entities are mandated to apply the PSPF. It said the fact that there are currently 98 non-corporate entities subject to the policy has also created a scope challenge.
"The absence of assurance over material reported by entities to AGD in their self-assessments means that audit procedures would need to be conducted across the population of entities' self-assessments (whole or risk-based sample) to assure accuracy," ANAO added.
It also said limited assurance procedures do not result in a report, which informs the Parliament about the actual implementation of cybersecurity requirement.
"Current ANAO work in cybersecurity in both financial statements audits (IT controls) and in performance audits indicate that the ANAO is likely to find issues with the accuracy of self-assessments," it wrote.
"In the event that accuracy issues are found, the ANAO would conclude that the report could not be relied upon, but would not report on whether entities actually do meet the requirements of the PSPF."
The Audit Office report shows the Attorney-General's Department and Department of the Prime Minister and Cabinet did not accurately self-report full implementation of one or more Top Four mitigation strategies.
Despite being responsible for setting cybersecurity policy and monitoring its adherence across the board, the Attorney-General's Department and the Department of Defence have said it's the responsibility of Commonwealth entities themselves and any questions should be directed as such.