The Western Australian Office of the Auditor General (WAOAG) has released a report highlighting weaknesses in the way nine WA higher educational institutions implement and operate general computer controls (GCC).
This is the first standalone report summarising the results of the WAOAG's annual information systems audits of the higher education institutions; this report summarises the GCC audit results of four universities and five TAFEs for the year ending 31 December 2025.
In previous years, these results were included in the WAOAG's State Government reports, however the State Government 2025 – Information Systems Audit Results report did not include tertiary sector results as these audits were in progress at the time of reporting.
The purpose of the GCC audits is to evaluate the risks arising from the use of IT and how well entities’ IT controls protect the confidentiality, integrity and availability of key business systems.
The report found that total number of control weaknesses dropped to 73 from 87 last year, but the proportion of significant and moderate weaknesses increased.
The majority of the weaknesses (64%) remained unresolved from prior years. Most of these could be "easily resolved by the diligent application of basic controls" such as patching systems, staff onboarding/offboarding procedures and appropriate management of access, the report stated.
Information and cyber security controls was identified as the most significant area of concern, accounting for 82% of all weaknesses identified.
"In the context of recent security incidents affecting Australian education sector entities, the high proportion of control weaknesses in this area is particularly concerning," the WAOAG said.
"In addition, the adoption of artificial intelligence brings benefits, but it has also elevated risk as threat actors use it to carry out sophisticated attacks. Entities must ensure their basic general computer controls are effective."
The WAOAG also performed capability maturity assessments of the nine higher educational institutions, assessing these entities’ capability maturity across 10 categories using a 0-5 rating scale. Entities must achieve maturity level three or higher to meet the WAOAG's benchmark.
The report found there was an overall reduction in maturity across the sector compared to the prior year.
Of most concern to the WAOAG was the decline in four of the five information and cyber security control categories (endpoint security, human resource security, information security framework and network security); in particular, only one entity met the endpoint security benchmark.
There was a clear improvement in the access management category, however, but still less than half of the entities met the benchmark.
_(25).jpg&h=142&w=230&c=1&s=1)
.jpg&h=142&w=230&c=1&s=1)
_(30).jpg&h=142&w=230&c=1&s=1)
.jpg&w=100&c=1&s=0)
.jpg&w=100&c=1&s=0){kind=logo}
.jpg&w=100&c=1&s=0)
