Australian 2021 Census preparation gets marginal pass mark from auditor

ANAO said the IT framework the bureau has established for the 2021 Census is largely appropriate, however, just under a year out from deadline, its implementation is not complete.

The Australian National Audit Office (ANAO) has labelled the preparation for the 2021 Census by the Australian Bureau of Statistics (ABS) as "partly effective".

"The ABS has established largely appropriate planning and governance arrangements for the Census. The risk framework is compromised by weaknesses in the assurance arrangements," ANAO wrote in its Planning for the 2021 Census report. 

ANAO said the ABS is partly effective in its development of IT systems for the 2021 Census.

It said generally appropriate frameworks have been established to cover the Census IT systems and data handling, and the procurement of IT suppliers, but that the ABS has not put in place arrangements for ensuring improvements to its architecture framework, change management processes, and cybersecurity measures will be implemented ahead of the 2021 Census.

"The ABS has been partly effective in addressing key Census risks, implementing past Census recommendations, and ensuring timely delivery of the 2021 Census," the auditor added. "Further management attention is required on the implementation and assessment of risk controls."

The 2021 Census will be built using the Amazon Web Services cloud through a contract awarded to PwC Australia.

The change of approach is expected to counter any repeats of what occurred in 2016, when the ABS experienced a series of small denial-of-service (DDoS) attacks, suffered a hardware router failure, and baulked at a false positive report of data being exfiltrated which resulted in the Census website being shut down and citizens unable to complete their online submissions.

The Census was run on on-premises infrastructure procured from tech giant IBM.

This time around, ANAO said oversight arrangements, specifically the planning and governance arrangements, are appropriate, except that the ABS does not have an overarching plan to coordinate activity plans and enable a clear view of progress against planned activities.

It also said the implementation of ABS' IT framework for the 2021 Census was still not yet complete, although it noted it was largely appropriate.

"The ABS has not established a systematic process for managing risks associated with non-compliance. Census systems do not fully align with the ABS enterprise IT framework giving rise to risks in relation to system integration and compliance with legislation and ABS policy," ANAO said.

"The ABS has not established a process to mitigate the risk of unauthorised changes being implemented across systems supporting the Census."

ANAO said the ABS is also establishing partly appropriate data handling practices, as well as partly appropriate cybersecurity measures, for the 2021 Census.

"The high-level measures and controls in the ABS' cyber security strategy for the 2021 Census are sound. However, the strategy has not been fully implemented," it clarified.

"The ABS has established IT supplier contracts that support value for money outcomes. The ABS has largely met key legal requirements for its Census IT procurements of AU$1 million or more."

In response to the omnishambles that was the 2016 Census, there have been three reviews that made 36 recommendations, 29 of which were directed at the ABS and agreed upon. Since then, the ABS has frequently stated it is committed to learning from the experience of the 2016 Census in conducting the 2021 Census.

"The failure of multiple IT controls during the 2016 Census reinforced the need for the ABS to implement robust planning arrangements for the 2021 Census including for cyber security, procurement, and review recommendations. An audit of the ABS' preparedness for the 2021 Census would provide assurance on whether the ABS is on track to delivering its objectives for the Census," ANAO said in explaining the rationale behind its audit.

MORE FROM THE AUDITORS