Australian government grades its own cyber compliance, rarely checks the grade — and where anyone independent has looked, the rules aren’t being met.
Agencies grade their compliance against the mandatory cyber frameworks, an executive signs the attestation, and it is filed. Two things sit beneath that signature, and neither is comfortable: what an independent check finds when it tests the grade, and what has already happened to the data the grade was meant to protect.
Compliance, almost everywhere, is self-assessed — the organisation marking its own work and reporting the result to itself or to a central body. So the question that matters is simple: who verifies the mark is true? When the auditors-general have actually checked, the answer has been the same across every jurisdiction with an audit programme mature enough to look closely. None of what follows is hypothetical — it is drawn entirely from their own reports, each linked at the foot of this page.
Essential Eight compliance: the grade that failed the check
The Australian National Audit Office runs a standing series of cyber audits, and its conclusion is consistent: non-corporate Commonwealth entities show ongoing low cyber resilience and high rates of non-compliance with the mandatory Essential Eight baseline (Policy 10 of the Protective Security Policy Framework). Its most recent audit makes the self-assessment problem concrete.
In June 2026 the ANAO reported on the Department of Parliamentary Services — custodian of the network that carries federal parliamentarians’ email and traffic, some 10,000 devices across roughly 4,800 users. DPS had self-assessed that it met the required Maturity Level Two across all eight strategies. When the ANAO tested that grade, it found seven of the eight Essential Eight strategies implemented below the standard required, the Essential Eight not fully implemented as the framework demands, and the department’s risk management falling short of the standard needed to address the risk. The grade the department gave itself and the grade the independent auditor gave it were not the same.
Government cyber compliance, state by state
This is not one auditor’s bad week. The same finding appears in every Australian jurisdiction with the maturity to test it — which turns a local problem into a national one.
| Jurisdiction | Audit office | What the independent check found |
|---|---|---|
| Commonwealth | ANAO (2026) | The Department of Parliamentary Services self-assessed full Maturity Level Two; the ANAO found seven of the eight Essential Eight strategies below the required standard. Ongoing low resilience and high non-compliance across non-corporate entities. |
| New South Wales | Audit Office of NSW | 59% of agencies declared no independent assurance over their own self-assessment; 152 significant, high or extreme residual risks; third-party incidents nearly tripled in a year. |
| Victoria | VAGO | None of 10 departments could produce a complete, accurate inventory of their own servers; all were running outdated operating systems. |
| Western Australia | OAG | 359 control findings across 53 state entities, almost two-thirds unresolved; only 3 of 15 audited local entities had adequate cyber policies. |
| Queensland | QAO | 13 significant and 198 IT-control deficiencies; in a third-party audit, auditors bypassed controls and extracted sensitive information. |
| SA, Tasmania, NT | Various | Independent cyber assurance and public reporting are limited or, in places, absent — the gap is not even measured. |
What the state auditors found
New South Wales
59% of agencies declared they had no independent assurance over their own cyber self-assessment. Twenty-seven of 66 agencies reported 152 risks rated significant, high or extreme; 28 reported controls that were largely or totally ineffective; and most fell short of the policy’s minimum “Protect” requirements. Incidents involving third-party systems nearly tripled in a single year.
Victoria
The Auditor-General examined the servers of all ten government departments and the shared state ICT provider. Not one could produce a complete, accurate inventory of its own servers, and every one was running outdated operating systems — in a state where, the same report notes, nine in ten government organisations had a cyber incident in 2023.
Western Australia
The Auditor-General reported 359 control findings across 53 state entities — almost two-thirds carried over, unresolved, from earlier years — and 333 weaknesses across 68 local-government entities. In a dedicated local-government cyber audit, only three of fifteen entities had adequate cyber security policies.
Queensland
The Audit Office found 13 significant and 198 IT-control deficiencies, around half unresolved from prior years. In a third-party cyber audit, the auditors did not merely review controls — they bypassed them, reached the agencies’ corporate systems, and extracted sensitive information.
Beyond the larger jurisdictions the picture only thins. In South Australia, Tasmania and the Northern Territory, independent cyber assurance and public reporting are limited or, in places, absent — which means that in much of the country the gap is not even measured.
Independent assurance: who is actually checking?
The verification meant to close this gap is, by design, partial. Auditors-general provide genuine independent assurance — but they audit a sample, periodically, not every agency’s posture every year. Indeed, it is the auditors themselves who keep reporting the gap. Beyond them, agencies can engage external assessors, but independent assurance over the self-assessment is encouraged, not required — which is precisely how a jurisdiction arrives at 59% with none. And where an external review does happen, the resulting report is the agency’s private property, not a public record.
Why unverified compliance matters
This is not theoretical. Nine in ten Victorian government organisations had a cyber incident in 2023; in NSW the number involving third-party systems nearly tripled in a single year. The compliance failures the auditors describe are not risks waiting to land — they are the conditions under which breaches have already happened. And these systems hold the public’s health records, identities and tax affairs. In most of the country, the assurance protecting that information is the holder’s own word: self-assessed, rarely verified, seldom visible.
There is a category of assurance that none of the above provides — an independent, external, evidence-based view of exposure, owned by no one inside the organisation and answerable to the people relying on it. That is the layer the audits keep finding absent.
Sources
Every figure above is drawn from a primary government source.
- Australian National Audit Office — Cyber Security (insights)
- Australian National Audit Office — Cyber Security in the Department of Parliamentary Services (Report 38, 2025–26)
- Audit Office of New South Wales — Cyber Security Insights 2025
- Victorian Auditor-General’s Office — Cybersecurity of IT Servers (Oct 2025)
- Office of the Auditor General WA — State Government 2025: Information Systems Audit Results
- Office of the Auditor General WA — Local Government 2025: Information Systems Audit Results
- Office of the Auditor General WA — Cyber Security in Local Government
- Queensland Audit Office — Information systems 2025
- Queensland Audit Office — Managing third-party cyber security risks
- Australian Signals Directorate — Annual Cyber Threat Report 2024–25
Frequently asked questions
Do Australian government agencies independently verify their cyber security?
Mostly, no. Compliance is reported through self-assessment, and independent assurance over those self-assessments is encouraged but not mandated in most jurisdictions. In NSW, 59% of agencies declared they had none.
Who audits government cyber security in Australia?
The auditors-general — the ANAO federally, and each state and territory equivalent. They provide genuine independent assurance, but only across a sample of agencies and periodically, not a standing check of every agency every year.
What did the NSW Auditor-General find?
That 59% of agencies had no independent assurance over their cyber self-assessment, that third-party incidents nearly tripled in a year, and that 152 significant, high or extreme cyber risks were reported across a minority of agencies.
Is independent cyber assurance mandatory for government?
In most jurisdictions, no. It is recommended and supported by guidance, but agencies are generally not required to obtain independent verification of their self-assessed posture.