Councils told to step up on cyber security

The NSW auditor general has called for the office of local government to develop a cyber security policy to ensure a consistent response across councils after finding 80 per cent don’t have a cyber security framework.

“The Office of Local Government … should develop a cyber security policy by 30 June 2021 to ensure a consistent response to cyber security risks across councils,” Auditor General Margaret Crawford says in a report handed down on Thursday.

The audit looked at the state’s 138 councils and 13 joint organisations, which share revenue of $15.3 billion, assets of $166 billion and liabilities of $7.3 billion.

It identified 1,947 issues, of which 41 per cent related to IT.  Of those, 68 per cent of issues related to access management.


At total of 575 issues relating to IT were identified, compared to 448 in the previous reporting period.

They related to a range of concerns including IT policies, lack of risk management, shared user accounts, weak passwords and poor system implementation.

The report says cyber security management requires improvement, with “some basic elements of governance not yet in place for many councils”.

The audit found 71 per cent of councils didn’t have IT policies and procedures and 41 per cent didn’t register risks.

Meanwhile, the audit found only twenty per cent of councils had a formal cyber security policy or framework, 84 per cent didn’t budget for cyber security and 76 per cent had not given staff cyber security training.

“We continue to report deficiencies in information technology controls, particularly around user access management. These controls are key to ensuring IT systems are protected from inappropriate access and misuse,” Ms Crawford  said.

Source: NSW Auditor General.


The report, based on audits to the end of 2019 , also says councils could be better prepared for new accounting standards being implemented this year and should bolster asset management practices.

It identified 59 prior period errors with a value of $1.3 million, with 59 per cent of those the result of poor asset management.

However, the report gives councils a pat on the back for reducing errors and improving fraud control.

“Fewer errors were identified. More councils have audit, risk and improvement committees and internal audit functions. Risk management
practices, including fraud control systems, have also improved,” Ms Crawford said.

“These are very pleasing indicators of the gradual strengthening of governance and financial oversight of the sector.”

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required