"The ANAO assessed one of the agencies as meeting virtually all of these requirements, two agencies as meeting most of these requirements, but the remaining agency as meeting few of these minimum requirements," according to the report.
Furthermore, despite the "reasonably comprehensive" coverage of security requirements in most of the contracts examined, about half of the contracts examined did not contain provisions for dealing with the risk of access to the agency's information through a third party interest, or explicitly identify a breach of security requirements as a reason to terminate the contract.
In only seven of the contracts examined, agencies were systematically assessing security performance or measuring compliance with security requirements.
"Generally, the audited agencies indicated that security matters were only considered if, and when, matters arose," according to the report. "Some of the contract managers interviewed suggested they relied on the agency's broader security programs and policies to provide them assurance that security requirements were being complied with.
"Most of the contracts reviewed during the audit contained a clause(s) requiring the contractor to advise the agency of any security incidents. Three of the audited agencies had agency wide processes for identifying, reporting, recording and monitoring breaches of security and other security incidents. The fourth agency did not have a system for effectively capturing details of security incidents."
To assist staff to manage security risks during procurement and contracting activities, the ANAO recommends that agencies include in protective security and procurement or contracting policy documents, information on the security risks of using contractors that is appropriate for their operations, and update model procurement and contract templates to fully reflect the requirements of the PSM.
The ANAO also recommends government agencies adopt a risk based approach to monitoring and evaluating the performance of contractors, including their adherence to security requirements.
The agencies' responses to the findings were generally agreeable with one stating it will expand this tool to capture more pertinent information for assessing changes in security risks involved in the use of contractors.
Customs agreed with the recommendation, and stated: "Customs has appropriate procedures and processes in place that ensures a risk-based approach to monitoring and evaluating the performance of contractors."
The Department of Finance stated it is reviewing and redeveloping security, procurement and contracting policy documentation and procurement and contracting templates.
The audit engaged Courage Partners Pty Ltd to assist with the conduct of audit fieldwork and the production of management reports at two of the audited agencies. The audit was conducted in accordance with the ANAO's auditing standards and cost about $270 000.