An audit of the Department of Parliamentary Services (DPS) by the Australian National Audit Office (ANAO) has found the DPS had only a partly effective baseline of essential cybersecurity strategies.
The DPS is responsible for implementing cyber security strategies critical for safeguarding ICT services across Parliament House, supporting nearly 5,000 IT users and around 11,000 end-user devices.
The ANAO's audit examined whether DPS has an effective baseline of cyber security strategies to mitigate cyber security risks affecting the Parliamentary Computing Network and other ICT services.
Key findings from the audit include that the Essential Eight cyber security strategies had not been fully implemented in accordance with the requirements of the Protective Security Policy Framework, and compensating controls were not sufficiently effective to mitigate the full extent of risk.
The DPS has identified work to re-assess and re-authorise its ICT environment and in the 2026–27 Budget received additional resourcing to deliver necessary enhancements for critical information technology systems.
Governance arrangements were weakened because DPS did not have an IT control environment that addressed key risks across all the user groups supported, and because DPS had not completed key cyber security policies.
DPS had not completed identification and documentation of key systems and other ICT assets, and did not formally consider if the risk mitigation strategies were appropriate for the threats in their broader strategic environment. DPS also was found to have accepted risks above tolerance when approving the operation of new technology systems, and systems in active use required re-assessment and approval
The Audit Office found many risk-management approaches fell short of the standard required to adequately address the risk and, as a result, DPS had not implemented all essential cybersecurity strategies to meet the ASD’s Maturity Level Two.
DPS also lacked a single source of truth for identified risks and issues, and available registers were not complete.
Based on the audit, ANAO made a number of recommendations to DPS, including it review its governance arrangements and risk assessment processes for cybersecurity to ascertain their appropriateness for both Parliament’s and the Department’s risk environment.
It also recommended the DPS develop a prioritised risk-based program of uplift activities to address known risks related to essential cyber security strategies, as well as implementing a program to comply with the requirements of the Protective Security Policy Framework.
In response, DPS agreed with all recommendations and said it commenced a comprehensive review of its cybersecurity governance and risk assessment processes in December 2025, guided by the DPS Risk Management Policy and Framework and informed by the ANAO audit.
That review will assess existing arrangements to ensure they are fit for purpose and scalable to meet the Parliament’s evolving cyber security environment and will identify governance and assurance activities to be uplifted that will support mitigating cyber security risks in the Parliamentary Computing Network (PCN).
It also indicated funding from the 2026-27 Budget will support the delivery of a Parliamentary Information and Cyber Resilience project. This project, DPS said, will address critical cyber, information security, and operational resilience risks.
Earlier this year, the ANAO conducted an audit of the cyber-readiness of the ABS ahead of this year’s Census, advising that the ABS must address key remaining cyber security vulnerabilities by ensuring critical activities will be completed in time.
Last year, the ANAO found that the DTA had been “partly effective” in implementing procurement reforms around ICT related-services, following an Auditor-General Report that found procurement of ICT-related services by the DTA had been ineffective for nine procurements.




