A Queensland Audit Office report, noted by a parliamentary committee yesterday, assessed three government entities and found none had a full record of the ICT assets it had assigned its employees.

“For two of the entities, we found almost 750 ICT assets (according to their records) were assigned to employees who no longer work for them,” the report says.

“Either the entities’ asset records are out of date, or there is a risk that these assets could be used to access the entities’ sensitive information.”

The parliamentary committee said the report was timely, pointing to recent comments Prime Minister Scott Morrison had made about ongoing cyber-attacks and the increased use of internet activities due to the COVID-19 pandemic.

The audit office made several recommendations as part of its audit into cyber security risks, including that government entities review how they manage their ICT assets, such as recovering assets that have not been returned.

The parliamentary transport and public works committee said that since the report, it had sought an update from 103 government entities and was satisfied it was taking appropriate action to manage cyber security risks.

The committee only recommended that the report be noted by the parliament, as it also raised concerns that some entities – such as local government – fell outside the mandated cyber security frameworks.

“However, the committee considers that the (Queensland Government Customer and Digital Group) is taking appropriate action to keep these entities informed of the issues, including providing alerts, newsletters, briefings and published guidance,” the committee said.

“The committee considers that it is of upmost importance that these entities continue to engage with the QGCDG on these issues.”

The entities the audit office referred to in its report were not revealed for security reasons, and they defined entities broadly to include all Queensland public sector entities, such as departments and councils.