Australia’s national auditor will again consider an audit of the federal government’s digital identity system after a proposed review of the the $600 million-plus project failed to get up last year.
The Australian National Audit Office released its work plan for 2022-23 this week, singling out the scheme, as well as the country’s digital health system, for potential review over the coming 12 months.
The potential audit – one of 85 proposed across government – would “review the progress of the digital identity system’s implementation, design and functionality” seven years into the project initiated by former Prime Minister Malcolm Turnbull.
Using identical language to last year, the ANAO said the audit would look at the “roles and responsibilities of stakeholders”, including the Digital Transformation Office, and the “allocation and expenditure of funding, including contract management”.
The ANAO flagged the potential audit after last year’s $161 million investment in the digital identity system, which extended funding for the program, previously referred to as GovPass, until at least 2024-25.
The funding saw total investment in the digital identity system, including the myGovID credential and identity exchange, climb to more than $600 million since in 2015, with more than half of the funding allocated in the last two years.
While new services are continuing to be added to myGovID, the planned expansion of the scheme to state and territory governments and the private sector has stalled in recent months, with the former government failing to introduce legislation before parliament was prorogued this year.
In addition to a proposed review of the digital identity system, the ANAO is also considering an audit of the Australian Digital Health Agency’s “delivery of a safe, secure, and reliable digital health system”.
This follows a $301.8 million funding injection in the controversial My Health Record system, which is in the midst of a modernisation program that will replace the system’s Oracle API gateway, in the first instance.
The ANAO last conducted an audit into the My Health Record in 2019, which gave the system a largely clean bill of health despite uncovering that a number of information security manual (ISM) security controls were yet to be implemented.
Other possible audit targets
The national auditor is also considering a whole-of-government audit into the ‘management of cyber security’ by agencies – a review that was also flagged in its 2021-22 work program but wasn’t actioned.
The potential audit would continue a “series of audits of cyber security”, spanning several requirements under the Protective Service Policy Framework (PSPF), including the Essential Eight cyber security controls.
Last month, the ANAO revealed as part of the 2021-22 interim financial controls audit that only two of 19 agencies reviewed had met Essential Eight maturity levels required under the PSPF.
The ANAO is similarly plotting an audit of the “management of the privacy of clients’ personal information” by the Australian Taxation Office and Services Australia, noting the risk of data breaches.
“Services Australia and the ATO hold and manage client... information in the course of their delivery of services and payments and oversight of the tax and superannuation systems, and share information for the purposes of comparing income data,” it said.
Other potential audits slated for 2022-23 include:
- The effectiveness of the ATO’s design, planning and early implementation of the modernising business registers program, including the introduction of the director identification number initiative
- Geoscience Australia’s procurement for the Southern Positioning Augmentation Network project to understand if it “employed open and effective completion and achieve value for money”
- The effectiveness of NBN Co’s “strategies to manage its transition from building to operating the NBN” and the Communications department’s management of the contract with NBN Co for the regional broadband scheme
- The administration of skilled migration by the Department of Employment and Workplace Relations, the Department of Home Affairs and the National Skills Commission