Safely leveraging technology and data is imperative in our increasingly digital world.
Cyber security remains one of the most significant risks facing the public sector. Entities must not only protect the information they hold but also ensure continuous delivery of public services.
This page brings together resources from QAO’s significant body of work on digital, data, and cyber-related topics drawn from our work across Queensland public sector entities and local governments.
Cyber security risk management
| Security of critical water infrastructure(Report 19: 2016–17) |
| Traffic Management Systems(Report 5: 2013–14) |
Upcoming audits
In 2027–28, we plan to table a report in parliament on Defending critical infrastructure from cyber risks. Read about it or contribute here >
You can explore and contribute to our upcoming audits, and view our full Forward work plan 2026–29 on our Audit program page >
Role capability checklist for cyber attack response and recovery >
This checklist helps entities map where they do or do not hold relevant cyber capabilities across their people, processes, or through technology.
Cyber response and recovery governance checklist >
This checklist provides key questions that those charged with governance can consider when planning how they respond to and recover from cyber security incidents.
Checklist for managing third-party cyber security risks >
This checklist provides key questions that all entities can consider when managing their third-party cyber security risks.
Risk management maturity model >
This risk management maturity model helps entities self-assess their risk management practices to understand what they are doing well and where they need to improve.
Do you understand your third-party cyber security risks?
Think about how many third-party vendors your organisation relies on across your supply chain – information technology (IT) vendors, software development teams, accounting firms, marketing businesses, consultants; the list goes…
Managing risks associated with third-party providers
The use of information technology (IT) services provided by other organisations (third parties) is becoming more widespread throughout state and local government entities.
Advice on reporting data breaches
Cyber security risks represent one of the most significant threats to all organisations, with attacks increasing in intensity and frequency.
Advice on ransomware prevention and recovery
Ransomware attacks are among today’s most significant organisational threats. They aim to lock organisations out of their systems and files (usually through encryption).
Risk management – where do we start?
Risk management has never been more important than it is now. Today’s global risk landscape has a wide range of more complex risks that hit harder, come faster, are interlinked, and bring more profound disruptions.
Increasing concerns around cyber security risks
It goes without saying that protecting important information assets with secure systems is critical to Queensland’s economic and security interests.
Learnings from our cyber security report to parliament
Media reports show an alarming trend of growing cyber security attacks and corporate espionage.
Cyber security tips
As technology opens doors for increased efficiency, connectivity, and sharing, it opens our work and home to cyber risk. The controls we implement to address these cyber risks are often referred to as cyber security. …
Internal controls and fraud
| Monitoring and managing ICT projects(Report 1: 2018–19) |
Upcoming audits
Each year, we publish a report summarising the results of our information systems audits of Queensland’s public sector entities, other technology-related risks, and major system replacements. Learn more about our report Information systems 2026 >
In 2026–27, we plan to table 3 reports in parliament that may be of interest. These are on:
- Implementing the Unify system. Learn more >
- Protecting information held by government. Learn more >
- Managing legacy information technology infrastructure and systems. Learn more >
In 2028–29, we plan to table a report in parliament on Data use and governance in Queensland entities. Read about it or contribute here >
You can explore and contribute to our upcoming audits, and view our full Forward work plan 2026–29 on our Audit program page >
Fraud and corruption self-assessment tool >
Our self-assessment tool helps entities to easily identify areas where they can improve their fraud controls and focus resources for detection on high-risk areas. These controls form a key part of their fraud risk management frameworks.
Fraud risk assessment and planning model >
Our fraud model helps entities document their assessments of fraud risk, as well as how they will control, monitor, and report on the risks. It gives entities a methodology to follow for their assessments.
Implementing machinery of government maturity model >
This maturity model allows entities to self-assess their change management practices to see where they can develop and progress. The model outlines 4 levels of maturity, with questions grouped by the key elements of internal control – process, systems, and people.
Checklist for managing machinery of government changes >
Our checklist provides agencies with guidance on some of the most common and important issues that arise in implementing machinery of government changes. It helps agencies identify, manage, and monitor the associated risks of changes at both the operational and strategic levels.
Strengthening your internal controls against emerging fraud risks
As the end of the year draws closer, now is the time to think about the fundamentals of your internal control environment and ensure staff working over the holiday break are fraud aware.
Is your Information Security Management System helping you mitigate cyber risk?
In its most recent Annual Cyber Threat Report (2021), the Australian Cyber Security Centre reported a 13 per cent increase in cybercrime reports over the previous year, with no sector of the Australian economy immune to the…
The role of governance committees in managing cyber security risks
As cyber attacks continue, cyber risk has become one of the top enterprise-wide risks facing entities. Entities need to remain vigilant and governance committees need to ensure they understand the impact of cyber risk on…
Have you considered physical security as part of your cyber security strategy?
Entities need more than technical security controls to protect their data from cyber security risks.
What does the Queensland Government’s information security policy (IS18:2018) mean for you?
The impacts of cyber attacks, and malicious or inadvertent actions of employees, present a very real risk.
Access controls for information technology systems
Technological advances now enable departments to use a range of services that combine into wider technology ecosystems.
Emerging technologies and artificial intelligence
Upcoming audits
In 2027–28, we plan to table a report in parliament on Making the most of artificial intelligence. Read about it or contribute here >
In 2028–29, we plan to table a report to parliament on Readying the public service for technological advancements. Read about it or contribute here >
You can explore and contribute to our upcoming audits, and view our full Forward work plan 2026–29 on our Audit program page >
Checklist for managing ethical risks in artificial intelligence >
This checklist provides key questions that those charged with governance can consider when managing the ethical risks associated with artificial intelligence.
Strengthening ethical risk management of artificial intelligence systems
The use of artificial intelligence (AI) is growing across the public sector as entities seek to leverage its potential and find opportunities to deliver services more efficiently and effectively.
How emerging technologies and data are supporting more effective audits
Computers were first introduced across the Queensland public sector in the 1960’s, paving the way for a new age of opportunities powered by data and analytics.
Rethinking data governance for artificial intelligence and emerging technologies
Most organisations appreciate the importance of data and analysis to effective, evidence-based decision making.
Digital project delivery
|
| Monitoring and managing ICT projects(Report 1: 2018–19) |
Upcoming audits
In 2026–27, we plan to table 2 reports in parliament that may be of interest. These are on:
- Implementing the Unify system. Learn more >
- Managing legacy information technology infrastructure and systems. Learn more >
You can explore and contribute to our upcoming audits, and view our full Forward work plan 2026–29 on our Audit program page >
Guidelines for implementing new systems >
This guide provides questions that public sector entities and those with governance oversight responsibilities can consider regarding the controls of newly implemented systems.
Delivering successful technology projects >
This better practice guide provides 5 factors that, if managed and modified to suit, can help entities protect and improve the success of their technology projects.
Learnings for ICT projects >
In this guide, we share some lessons learned to guide all entities involved in information and communication technology (ICT) projects. We draw on the insights from our work across a number of technology-related projects.
Why QAO’s 2020 report on technology projects still rings true in 2026
In September 2020, the Queensland Audit Office (QAO) tabled a report to parliament on Delivering successful technology projects (Report 7: 2020–21). Years have since passed, however our insights remain highly relevant. …
Are you managing your legacy system risks?
Modern technology systems are essential to efficient and productive businesses, helping to strengthen service delivery, security, and operational efficiency.
Setting up technology projects for success
Technology is essential for delivering modern government services – but technology projects can be complex and costly to deliver.
How you can manage the risk of your legacy systems
Legacy systems are the outdated technologies, hardware, or software that organisations use even though they cannot be effectively maintained and no longer remain secure.
Tips on implementing a new ICT system
Implementing a new information and communication technology (ICT) system can be challenging. Such projects are often expensive in time, skill or monetary cost, and it is therefore imperative to plan well from their outset. …
Learnings for ICT projects
In March 2019, the Queensland Under Treasurer referred concerns to the Auditor-General about the delivery of the State Penalties Enforcement Registry (SPER) Reform Program.
Podcast – Cyber risk: what do we do now?
Listen in as 2 of our senior directors and the Queensland Government's Cyber Security Unit chat about what chief executives need to consider, including risk management, controls, and what to do if you experience a cyber attack. We share some interesting findings and important recommendations from our report Responding to and recovering from cyber attacks (Report 12: 2023–24).
Status of Auditor-General's recommendations
Each year, we ask entities to self-assess their progress in implementing the performance audit recommendations we have made in our reports to parliament.
Our report on the status of Auditor-General’s recommendations brings together information and insights on entities' progress. It also highlights common challenges and improvement opportunities.
Our interactive dashboard allows you to explore entities’ self-assessed progress implementing the recommendations we make in our reports to parliament