True

COMMITTEE'S CONSIDERATION

In its Report No. 7, 58th Parliament - Annual Report 2024-25 tabled on 14 November 2025, the committee reported on its consideration of a number of Auditor-General reports referred to it, including Auditor-General Report 12: 2023-24 - Responding to and recovering from cyber attacks. The committee determined to take no further action in relation to the report and made no recommendations to the Legislative Assembly.

The Auditor-General tabled this report on 4 June 2024 during the 57th Parliament. The Legislative Assembly referred the report to the former Clean Economy Jobs, Resources and Transport Committee. The 57th Queensland Parliament was dissolved by proclamation on 1 October 2024. The subject matter of the report now falls within the areas of responsibility of the Local Government, Small Business and Customer Service Committee, and the committee resolved to consider the report.

OVERVIEW

Role of the Auditor-General 

The role of the Auditor-General is to provide Parliament with independent assurance of public sector accountability and performance. This is achieved through reporting to Parliament on the results of its financial and performance audits and other insights.

Responding to and recovering from cyber attacks Report 12: 2023–24 was tabled on 4 June 2024.

About the Auditor-General Report

The Auditor-General’s report discusses how prepared Queensland public sector entities, including local governments, are to deal with cyber security incidents. The QAO examined 2 lead agencies with responsibility for guiding cyber security, and audited 3 other entities with varying levels of resources and capability.

QAO concluded that the public sector entities that they audited were not as prepared as they need to be. All had response and recovery plans in place, but they were not as effective or complete as they need to be to deal with the complications and risks associated with cyber attacks.

The QAO gave specific recommendations to each of the 3 entities that they examined in detail. They noted that ‘All public sector entities – big or small – are a target for cyber criminals because of what they do and the information they hold. Cyber attacks are continuing to increase, and all entities need to ensure they are prepared to identify and respond to an incident.’

Accordingly, QAO recommendations included that all public sector entities:

• protect their systems and sensitive information
• formally recognise in key governance documents that responsibility for cyber security rests with the chief executive, or equivalent
• improve and test incident response plans
• improve their crisis communication plans and templates
• gain access to the technical skills required to respond to and recover from cyber incidents
• share cyber threat intelligence and lessons learnt with CSU and other public sector entities as quickly as possible

Referral to Committee 

Standing Order 194B provides that the Committee of the Legislative Assembly shall as soon as practicable after a report of the Auditor-General is tabled in the Assembly refer that report to the relevant portfolio committee for consideration.

The committee is responsible under section 94 of the Parliament of Queensland Act 2001 for assessing the integrity, economy, efficiency and effectiveness of government financial management by examining government financial documents and considering reports of the Auditor-General.

Private Briefing

The committee held a private briefing with the Auditor-General about this report on 13 March 2025.