Weaknesses exposing ACT government systems and data to risk of fraud and cyber attacks have been identified in a new report.
Auditor-General Michael Harris said progress had been made in recent years to address long-standing issues, but that they needed to be a higher priority.
The 2018-19 Financial Audits - Computer Information Systems report was handed to the Speaker on Wednesday to be tabled in the ACT Legislative Assembly.
"There are weaknesses in these controls that expose the ACT government's systems and data to higher than necessary risks, which could lead to errors and fraud, unauthorised access to sensitive information, cyber security attacks, loss of critical data and the inability to promptly recover systems in the event of a major disruption or disaster," Mr Harris said.
He said it was "critically important" controls over the system minimise the risk of financial results being misstated.
READ MORE:
-
ACT government directory hack discovered after data put up for sale
- Editorial: The individual remains the first and last line of defence against cybercrime
"Financial information produced from agency computer information systems is only as accurate and reliable as the data that is entered and maintained within them," he said.
A review of controls as part of financial audits found information in agency's financial statements was "accurate, complete and reliable".
The weaknessess identified in the report related to to the effective management of user access to the ACT government network and applications; implementation of application white-listing (a technique used to only allow authorised applications to operate on systems); and audit log monitoring to monitor the appropriateness of users' activities.
According to the report government agencies have made improvements to information systems with the number of findings in the audit dropping from thirteen five years ago, to four in 2018-19.
"Agencies have also made substantial progress in addressing the remaining four audit findings and have advised that they expect most of them to be resolved in 2020."
Twelve recommendations were made for agencies to improve control over their computer information systems, including five made previously that had not been "fully resolved" including management of access to the ACT government network through shared user accounts.
"Generic (shared) user accounts are more susceptible to being used to gain unauthorised or fraudulent access to data and applications because they reduce management's ability to trace actions to a specific individual," the report stated.
According to the report improvements had been made to reduce the number of these accounts in all directorates except the health directorate which was currently working to reduce the number of unnecessary accounts.
