The Australian National Audit Office (ANAO) has panned several Federal departments after it found they had inadequate or absent disaster recovery plans in a recent financial management audit.
The Australian Electoral Commission (AEC), Australian Securities and Investment Commission (ASIC) and two sub-departments of Medicare were all found to have inadequate IT recovery plans in place, according to the Audits of the Financial Statements of Australian Government report on 30 June.
The report said that, at the time of the audit, the AEC hadn't developed adequate disaster recovery or business continuity plans, leaving the department at risk of data loss and disruption in the case of accidental data loss or disaster.
The report also fingered Medibank Health Solutions (MHS) and ComSuper as having disaster recovery shortfalls.
"The 2009/10 audit identified that MHS's Business Continuity Plans and Disaster Recovery Plans were still not specific to MHS's business and operational environment and there was no evidence of formal testing of these plans," the report said.
Likewise, ComSuper was found to have inadequate disaster recovery procedures, despite having flagged it as an issue in the last annual financial audit of 2008/09, but was in the middle of implementing new procedures at the time of the 2009/2010 audit.
The audit report also identified sub-standard security procedures used by Customs and Border Protection service, including the use of simple passwords and the implementation of inadequate user-management procedures.
"[Weaknesses included] insufficient complexity of passwords, lack of monitoring of privileged users and instances where there was inappropriate approval of new users and weaknesses in the management of user access to the Integrated Cargo System," the report said.
The audit office confirmed that that Customs will work on rectifying the issues before the 2010/11 financial audit.
The Department of Broadband, Communications and the Digital Economy (DBCDE) was also found to have been using inadequate IT reporting systems, meaning that auditors were unable to trace individual users back to the changes they had made in the system.
"ANAO confirmed that DBCDE had addressed this matter by the removal of these access privileges and by implementing a system to proactively monitor system access," the audit report said.
The report also recommended that the Department of Defence shore up IT asset management in order to better track gear and inventory.
"A number of significant and moderate audit issues remain outstanding in relation to a need to … improve IT and business process controls necessary to ensure the timely and accurate processing of inventory returns," it said.