Western Australian local governments are failing to fix known IT security weaknesses, with 60 per cent of control flaws identified in 2025 carrying over unresolved from prior years.

A new report from WA Auditor General Caroline Spencer - Local Government 2025 - Information Systems Audit Results - tabled to Parliament on 25 March 2026, found 333 control weaknesses across 68 local government entities.

Nine per cent of findings were rated significant, 69 per cent moderate and 22 per cent minor. Access management recorded the highest number of weaknesses, with 78 findings across 36 entities.

“These weaknesses put entities at greater risk of service disruptions, disclosure of ratepayers’ data, financial loss and reputational damage,” said Auditor General Spencer.

The report’s case studies illustrate the consequences of poor controls. In one instance, a threat actor manipulated supplier account details in a financial system, resulting in a fraudulent payment of approximately $350,000 to an unknown third party.

Capability maturity assessments conducted at 15 entities showed an overall decline across all 10 control categories. Only one entity met the benchmark for access management and just two met the standard for endpoint security.

Of the 11 entities assessed in both 2024 and 2025, results held steady in four categories but declined in six. The sharpest drops were recorded in risk management, change management, network security and access management.

Auditors found that one entity’s internal corporate network was reachable from its public library, due to insufficient network segregation. Another entity left default administrator credentials unchanged on its building management system, exposing temperature, lighting and door controls to potential attack.

In the information security framework category, 54 per cent of entities lacked effective or up-to-date policies governing their IT environment. Half had no ICT steering committee to oversee technology strategy.

“I encourage all local governments to learn from these findings and implement effective controls, many of which do not require costly technology. Instead, uplift requires an ongoing awareness of risk and constant effort and vigilance,” Ms Spencer said.

Human resource security weaknesses included insufficient phishing awareness training and failure to conduct police clearance checks on staff in privileged roles, such as finance officers and systems administrators.

Endpoint security failures were also prominent. Auditors found over 70 per cent of staff at one entity could run Microsoft Office macros - a known malware vector - due to misconfigured controls.

Physical security shortcomings included at least one server room lacking fire suppression systems and exhibiting structural damage to fire-rated walls, with old IT equipment stored inside.

The report also highlighted positive examples. One entity implemented continuous external security assessments covering firewall configuration, network penetration testing and Essential Eight mitigation strategies. Another deployed data loss prevention controls alerting to transfers of personally identifiable information.

The findings mirror concerns raised in the OAG’s companion State Government 2025 - Information Systems Audit Results, tabled in December 2025, which identified persistent IT governance and cyber security weaknesses across WA state agencies.