Reports and publications

Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.

View reports and publications

Insights

The aim of audit insights is to communicate lessons from our audit work to make it easier for people working within the Australian public sector to apply those lessons.

View ANAO Insights

Work program

The ANAO work program outlines potential and in-progress work across financial statement and performance audit.

View the work program

Careers

Our staff add value to public sector effectiveness and the independent assurance of public sector administration and accountability, applying our professional and technical leadership to have a real impact on real issues.

View Careers

About us

The Australian National Audit Office (ANAO) is a specialist public sector practice providing a range of audit and assurance services to the Parliament and Commonwealth entities.

About Us

Take our Insights reader feedback survey

Help shape the future of ANAO Insights by taking our reader feedback survey.

The aim of Audit Lessons is to communicate lessons from our audit work and to make it easier for people working within the Australian public sector to apply those lessons.

This edition is targeted at security, information communications technology (ICT) and human resources officials responsible for managing ICT system access and the offboarding process for employees and contractors separating from an entity.

Background

Information systems play an important role in the functioning of entities. They facilitate the communication and sharing of information and support decision-making and recordkeeping. Organisations must: provide access to information while maintaining the confidentiality, integrity and availability of relevant information; and minimise the risk of unauthorised access, misuse, alteration or loss of information.

Access to information systems is typically managed through the establishment of processes and protection measures that allow the identification and authentication of users and the granting, monitoring and removal of systems access.

Protection measures should be commensurate with the value of the information requiring protection and the identified threats. These measures should indicate access requirements for different types of users, including general users, privileged usersand external users. Each type of user should have a different level of access, which is appropriate for their role and responsibilities.

Separating personnel include employees and relevant contractors:

  • voluntarily leaving an entity;
  • whose employment has been terminated for misconduct or other adverse reasons;
  • transferring temporarily or permanently to another Australian Government entity (including machinery of government changes); and
  • taking extended leave.

Organisations should remove access for separating personnel in a timely manner and then monitor and report any unauthorised access.

Protective Security Policy Framework

The Protective Security Policy Framework (PSPF) and Australian Government Information Security Manual (ISM) assist entities to use their risk management framework to protect information and systems from both internal and external threats. The PSPF specifies the mandatory security requirements for non-corporate Commonwealth entities and represents better practice for other organisations. The ISM provides the guidance to implementing appropriate security controls across all Commonwealth entities.

The PSPF sets out government protective security policy in terms of: security governance; information security; personnel security; and physical security. PSPF Policy 9 ‘Access to Information’ and PSPF Policy 14 ‘Separating Personnel’ outline security measures to control access to Australian Government information and separation measures that help to mitigate risks associated with separating personnel.

  • PSPF Policy 9 requires entities to control access to supporting ICT systems and applications and ensure access to all classified information is only provided to people on a need-to-know principle.
  • PSPF Policy 14 requires personnel’s access to be removed upon separation or transfer from the entity. Inadequate security measures for timely removal of access from separating personnel increase the risk of unauthorised access to security classified information.

The ISM provides guidance on both preventative and detective controls to assist organisations to meet the PSPF requirements and protect their systems and data from cyber threats.

Audit lessons

This edition sets out what we’ve found in recent audits and four lessons aimed at improving the management of ICT system access for separating personnel.

  • Offboarding policies/processes are necessary. Offboarding processes need to be robust and followed by all personnel. Processes need to be in place to monitor for and detect when offboarding processes have not been followed.
  • Human Resources and IT areas need to work together to ensure timely removal of access. Within entities, human resources and IT administration teams need to communicate and work together to ensure users are removed when they no longer have a business need to access systems. Timing is essential.
  • Monitoring all user access is important — including for staff and contractors. All users, including staff and contractors, need to be considered when implementing offboarding and monitoring processes.
  • Periodic reviews of user access should be undertaken and acted on. When monitoring processes detect unauthorised or unexpected access, all instances should be investigated. Subsequent actions should be based on risk.

What we’ve found in audits

ANAO financial statements audits regularly assess the management of ICT system access for separating personnel. During financial statements audits conducted for the two-year period from July 2021 to June 2023, the ANAO found that many entities were not meeting the requirements of the PSPF related to separating personnel. In 2021–22, 37 per cent of entities did not have a policy specifying the timeframe for removing access for separating personnel. This decreased to 21 per cent in 2022–23. Although the increase in the number of entities with a policy was an improvement, 14 entities were found to have a policy that did not align with the requirement of ISM Control 0430 (timeframes to remove user access from government systems was greater than the same day as separation or transfer). Six of the 14 entities had timeframes to remove user access from government systems being greater thirty days. Timely removal of access is an important control to prevent unauthorised access to government systems and data.

Percentage of Commonwealth entities with policy specifying a timeframe for removal of access for separating personnel

In 2021–22, 83 per cent of entities had not implemented monitoring controls for detecting unauthorised access by separating personnel. In 2022–23, 78 per cent had not implemented monitoring controls.

Percentage of Commonwealth entities with controls for monitoring access of separating personnel in ICT systems

Lessons on the management of ICT system access for separating personnel

The following four lessons are aimed at improving the management of ICT system access for separating personnel, based on the findings from ANAO financial statements audits over the past two years.

Lesson 1: Offboarding policies/processes are necessary

Offboarding processes need to be robust and followed by all personnel. Processes need to be in place to monitor for and detect when offboarding processes have not been followed. A policy for the timely withdrawal of access limits the potential for the integrity, availability and confidentiality of Australian Government resources to be compromised.

PSPF Policy 14 states:

Effectively managing personnel security includes ensuring departing personnel fulfil their obligations to safeguard Australian Government resources; this limits the potential for the integrity, availability, and confidentiality of those resource to be compromised.

ISM Security Control 0430 specifies that:

Access to systems, applications and data repositories is removed or suspended on the same day personnel no longer have a legitimate requirement for access.

An offboarding policy for the timely removal of access should include:

  • an understanding of what systems need protecting and to what level;
  • an understanding of who requires access to each system and to what level;
  • an understanding of what access should be removed;
  • the roles and responsibilities of each business area involved in the separation process, specifically including monitoring and communication between business, human resources and IT administration teams; and
  • the timeframes for removing access from separating personnel and achieving alignment to PSPF requirements and ISM guidelines.

The policy should be risk-based — it should be based on an understanding of the risks associated with the end-to-end process for managing the separation of personnel from an organisation. A risk assessment should be undertaken when timeframes deviate from PSPF requirements and ISM guidelines. Risk management involves identifying controls for mitigating the associated security risks. The policy should be continually improved based on lessons learned.

Case study 1. Case study Periodic reviews of user access – Attorney-General’s Department

During the 2021–22 audit of the Attorney-General Department’s (AGD’s) financial statements, the ANAO identified weaknesses in the process for the removal of user access when employees or contractors were separating from AGD. In some instances, access was retained for up to 13 days.

During 2022–23, AGD reviewed its security risks and the adequacy of the processes for removal of user access. Controls were strengthened to ensure that the access was removed in a timely manner and aligned to risks within AGD’s business environment. This included adjusting the frequency of its detective control, which identifies instances of separated personnel who have accessed systems after their cessation date.

AGD investigates relevant security event logs and user activities related to any exceptions identified by its detective control to confirm that access was authorised and appropriate. Authorisation and appropriateness of access was confirmed through the inspection of relevant business and financial documents, and interviews with relevant staff.

To read more, see paragraphs 4.2.20–23 of Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2023.

Case study 2. Controls for the timely removal of ICT system access – Cross-entity

For the financial statements audits for the year ending 30 June 2021, the ANAO assessed the IT control environment for 18 entities included in the Interim Report on Key Financial Controls of Major Entities.The assessment included a review of Security Control 0430. The ANAO identified that eight of 18 entities did not adequately implement this control, which resulted in user accounts remaining active after personnel no longer required access. User accounts were subsequently accessed in five of the eight entities that did not adequately implement the controls.

The main contributing factor to failures in removal of access was the delay in notifications of the requirement to remove the access, such as when personnel left the organisation or a contract ceased. The lack of clarity around the roles and responsibilities between IT, human resources and business areas resulted in controls not being consistently applied.

To read more see paragraphs 2.35–50 of Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2021.

Lesson 2: Human resources and IT areas need to work together to ensure timely removal of access

Within entities, human resources and IT administration teams need to communicate and work together to ensure users are removed when they no longer have a business need to access systems. Timing is essential. Entities should establish and implement robust controls to reduce the risks associated with failures in removing user access after separation from an entity.

Controls for the risk of untimely removal of ICT system access could include:

  • regular validation of user access ;
  • a program of regular training and communication on security obligations during separation processes for personnel who have human resource and user access management responsibilities; and
  • automated controls.

Using automated controls can be more advantageous than manual controls as they ensure that control activities are performed consistently and efficiently. The following are examples of automated controls that could assist with the timely removal of access from separating personnel.

  • Position-based access control: access is automatically removed when personnel change their position within the organisation. Personnel without a position will have access removed automatically.
  • Automated user access reviews: software can be implemented to automate onboarding and offboarding users, triggering user access reviews at predetermined intervals, and removing and changing incorrect privileges based on review outcomes.

Case study 3. Controls for timely removal of ICT system access – Department of Health and Aged Care

During the 2019–20 interim financial statements audit, the ANAO identified weaknesses in Department of Health (Health) security controls relating to separating personnel having access removed or suspended on the day they no longer had a legitimate requirement for access. During the final phase of the audit, the ANAO identified that there were users who retained access to its ‘SAP’ systempost termination and a small number of these had accessed the system to print and email HR information.

Since the findings in 2019–20, Health has implemented the ‘Staff Admin’ system to enable access to Health’s systems to be controlled centrally and in a reliable and consistent manner. The Staff Admin system retrieves identity and position information from the SAP system and removes the need to manually enter information into other IT systems, reducing the risk of error or misconfiguration.

The Staff Admin system has ‘de-provisioning’ functionality that removes access automatically when a staff member’s separation date is reached. De-provisioning of an account is reliant on the manager submitting a request to offboard in the SAP system. This is consistent with requirements in Health policy.

During 2020–21, the ANAO found that Health had implemented significant control improvements. Improvements included educating staff of the importance of timely removal of access for separating personnel and implementation of processes which identified staff who accessed systems subsequent to separation. The ANAO identified a minor issue in the processes underpinning the timely communication of separating personnel to the IT division.

To read more, see: paragraphs 5.7.18–19 of Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2020; and paragraphs 4.7.21–22 of Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2021.

Lesson 3: Monitoring all user access is important — including for staff and contractors

Establishing controls for monitoring access in ICT systems assists with identifying unauthorised or suspicious access and minimising insider threats. All users, including staff and contractors, need to be considered when implementing offboarding and monitoring processes.

The ISM outlines several controls for monitoring ICT system access.

  • ISM Security Control 1404 and 1648 specify that access to systems and applications is disabled after 45 days of inactivity.
  • ISM Security Control 1566 and 1509 specify that access is centrally logged.
  • ISM Security Control 1591 specifies that access to systems, applications and data repositories is removed or suspended as soon as practicable when personnel are detected undertaking malicious activities.

Implementing controls for monitoring access in ICT systems should involve:

  • defining the approach to monitoring, including scope of activities and systems to be monitored, roles and responsibilities of control operators and management, and the actions required for managing exceptions; and
  • establishing a process for investigating user activities that have been performed after the date of separation of personnel, including investigating security logs, cross-verification with business and financial documents, and staff interviews, to confirm whether the activities were authorised and appropriate.

Case study 4. Controls for monitoring ICT system access – Department of Defence

In 2021–22, the ANAO conducted a performance audit on the effectiveness of the Department of Defence’s (Defence’s) management of contractors. The audit concluded that Defence had established fit-for-purpose policies and processes for the management of contractors. However, Defence could not demonstrate the effectiveness of its arrangements, in the absence of entity-level assurance based on a systematic approach to monitoring and reporting on implementation.

Defence had established arrangements to support compliance with the requirements of PSPF Policy 14. Defence reporting on compliance with PSPF Policy 14 (and relevant internal audits and assessments) indicated that implementation of Defence’s arrangements had been inconsistent. Internal audits finalised in May 2021 and March 2022 identified weaknesses in how the security policies had been disseminated to the operational level. There was also scope for Defence’s Contract Management Handbook to better support contract managers at the end of a contract, by including PSPF Policy 14 requirements in the relevant checklist.

The ANAO recommended that Defence establish arrangements to better support compliance with PSPF Policy 14, as well as monitor the effectiveness of arrangements to obtain assurance that PSPF Policy 14 is being met.

As part of the ANAO’s audit of Defence’s financial statements for the period ended 30 June 2023, the ANAO identified 1,451 users whose access to the Defence Network was not removed in accordance with ISM requirements. There were almost 2,000 instances where former employees and/or contractors had logged into and accessed data from Defence’s systems. The ANAO recommended that Defence:

  • implement processes to ensure the timely removal of employee and contractor system access;
  • implement system changes to capture and record system access and activities completed by users for an appropriate period of time; and
  • implement detective controls to identify instances where user access is not removed in a timely manner and monitoring controls to assess activities performed by those users after separation.

Defence agreed with the recommendations made by the ANAO and prepared a remediation plan to address the issues as a matter of priority.

To read more, see: paragraphs 4.28–47 of Effectiveness of the Management of Contractors — Department of Defence; and paragraphs 4.4.23–36 of Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2023.

Lesson 4: Periodic reviews of user access should be undertaken and acted on

Implementing periodic review of user access ensures that user access permissions are up to date and aligned with the principle of ‘least privileges’, reducing the risk of unauthorised and inappropriate access to information. When monitoring processes detect unauthorised or unexpected access, all instances should be investigated. Subsequent actions should be based on risk.

Periodic reviews of user access could involve:

  • establishment of policies and procedures defining the frequency of reviews, roles and responsibilities of control operators and management, the scope of each review, and the approach to managing exceptions; and
  • the validation of current user access against separating personnel, including analysis of separation dates against access dates to determine if separating personnel have accessed systems after their separation from the organisation.

Case study 5. Periodic review of user access - Australian Nuclear Science and Technology Organisation

During the 2020–21 financial statements audit of the Australian Nuclear Science and Technology Organisation (ANSTO), the ANAO identified weaknesses in ANSTO controls relating to access being removed for separating personnel. Two employees’ user accounts were accessed after separation in 2020–21 and 2021–22. In response to this finding, ANSTO implemented a cessation process that tracked requests for off boarding, particularly around year-end shut down or other periods of extended leave.

During 2022–23, ANSTO implemented further periodic controls that identify and investigate any access performed by separated personnel after their separation dates. The ANAO tested the design and operating effectiveness of these periodic controls and identified no recurrence of separating personnel logging on following their separation date.

To read more, see paragraphs 4.11.32–35 of Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2023.

Further reading

Further reading