State entities face gaps in managing portable assets and securing Microsoft 365 environments, exposing them to risks of loss, misuse, and cyber incidents, according to the Office of the Auditor General of Western Australia (OAG).
In Western Australia, the Auditor General tabled a report on controls over portable assets with individual values below $5,000 at five state government entities. The review covered items such as IT hardware, medical and scientific instruments, tools, and educational equipment, which can be readily moved between locations. Auditors checked entity registers against items held on site, and then took the reverse approach by locating assets in storage or recently purchased and confirming whether they were recorded.
Only ChemCentre was assessed as having a complete and current view of its portable assets and their locations, supported by regular stocktakes and disposal documentation. “As a part of this audit, we searched for assets on entities’ registers and attempted to locate the physical assets on site. We also searched for assets either stored on site, or which had been recently purchased, and attempted to find them on the relevant register,” Auditor General Caroline Spencer said. The Forest Products Commission, by contrast, was not undertaking stocktakes and was unable to confirm its full portable asset base. Overall, four of the five entities did not have full visibility of where their portable items were located, and more than one‑third of a 115‑item sample was not at the position recorded on the register.
Assets that could not be located included an ice cream machine at North Metropolitan TAFE valued at $3,200, a telescopic pole pruner at the Metropolitan Cemeteries Board valued at $1,079, a spray gun at the Forest Products Commission valued at $2,284, and a vital signs monitor at WA Country Health Service valued at $4,830. Spencer noted that all entities audited were providing integrity training on appropriate use of government assets and pointed to the operational challenges in tracking equipment across dispersed sites. She nevertheless encouraged entities to reassess their controls “to ensure taxpayer funds are not wasted through misuse or theft.”
A separate OAG report examined how seven Western Australian state entities manage Microsoft 365 security. The audit considered governance arrangements, identity and access management, information protection, logging and monitoring, and threat protection. “These weaknesses heighten the risk of cyber incidents, data breaches, and operational disruptions,” Spencer said, referring to the control gaps identified. The report includes case studies that show how misconfigurations or incomplete controls in Microsoft 365 can lead to cyber incidents and loss of information. The entities involved were not named, with the OAG stating that disclosure could increase exposure to cyber threats. Spencer said the pace of technological change and evolving threat landscape meant entities needed to “remain alert and continue strengthening their security posture.” The Microsoft 365 findings highlight a concentration of cyber exposure around a widely used platform, particularly where access controls, logging, and monitoring are not fully implemented.
At the federal level, the Australian Signals Directorate’s (ASD) report “The Commonwealth Cyber Security Posture in 2025” provides an aggregate view of cyber maturity across 194 Australian government entities as of June 30, 2025. The assessment draws mainly on the ASD Cyber Security Survey and focuses on cyber hardening, incident preparedness and response, and leadership and planning. According to the report, 22% of entities achieved overall Maturity Level 2 or higher across all eight Essential Eight mitigation strategies in 2025, up from 15% in 2024 but below 25% in 2023. ASD links the drop from 2023 to substantial changes made to the Essential Eight maturity model in November 2023, including tighter patching timeframes and strengthened multi‑factor authentication requirements.
Governance‑related indicators showed incremental improvement. In 2025, 82% of entities reported having a cyber security strategy and 92% incorporated cyber disruptions into business continuity and disaster recovery planning. Ninety percent had an incident response plan in place. Annual cyber awareness training was provided by 87% of entities, although annual training specifically for privileged users fell to 45%. Supply chain assessments declined marginally, with 70% of entities undertaking cyber risk assessments for IT suppliers and services, compared with 74% in 2024. Only 35% of entities reported at least half of observed cyber incidents to ASD, while ASD separately notified agencies 223 times of potential malicious activity in 2025. ASD continues to identify legacy IT as a material and ongoing cyber security issue and has published guidance on managing legacy environments and on “modern defensible architecture” for new or updated systems.
The findings describe a risk environment in which some core controls – including accurate asset registers, basic cyber hygiene, and incident reporting – remain inconsistent across government entities. Gaps in asset tracking can complicate claims handling, loss adjustment, and valuation, particularly where business‑critical equipment cannot be quickly located or accounted for. On the cyber side, partial implementation of the Essential Eight, variable Microsoft 365 security configurations, and low reporting rates may influence how underwriters assess frequency and severity of potential incidents, set sublimits and retentions, and prioritise risk‑engineering support. As entities respond to audit recommendations and ASD guidance, insurers and brokers can anticipate more detailed scrutiny of asset management processes, stocktake routines, legacy IT strategies, multi‑factor authentication standards, backup practices, logging capability, supply chain review processes, and incident response testing in submissions and renewal negotiations.
