Ageing Systems Leave SA Agencies Exposed, Audit Finds

Almost half the ICT hardware devices operating across 10 South Australian government agencies qualify as legacy systems, the state's Auditor-General has found. Incomplete asset inventories and inconsistent risk reporting are leaving agencies with reduced visibility of the security risks these systems create.

The findings appear in Report 3 of 2026, Review of legacy ICT systems, tabled in the South Australian Parliament. Auditor-General Andrew Blaskett surveyed 18 agencies in 2025, then selected 10 to examine how they manage legacy applications, operating systems, hardware, databases and virtualisation platforms. 

Of the systems assessed, 5,736 of 11,602 hardware devices and appliances (49 per cent) were classified as legacy. So were 766 of 3,181 operating systems (24 per cent), 195 of 812 applications (24 per cent), 121 of 392 virtualisation platforms (31 per cent) and 168 of 1,026 databases (16 per cent).

The audit concluded these systems often remain in use because agencies lack sufficient funding, resourcing or replacement pathways to modernise them. Ageing, complex or tightly integrated technology becomes too costly, risky or difficult to replace.

The review found weaknesses in how some agencies manage the resulting risks. These included incomplete asset inventories, limited formal risk assessments, gaps in risk register documents and inconsistent reporting to governance bodies. The gaps reduce visibility of risks and can delay action to remediate or replace systems.

The report warns legacy systems create significant cyber security, privacy and compliance risks. They often lack modern security controls, current vendor support and alignment with current security frameworks. This increases the risk of cyber incidents and data breaches, particularly as threat actors target public sector systems holding sensitive personal data.

Reliance on ageing technology also creates workforce risks. Agencies find it harder to attract staff with skills to support outdated systems, increasing reliance on contractors and raising knowledge and succession risks. The report says legacy technology can limit data sharing, analytics and evidence-based decision-making across government.

The Auditor-General concluded agencies need a more structured, risk-based approach. This includes completing modernisation projects, maintaining better visibility of legacy assets, documenting risks and treatments more clearly, and ensuring governance committees receive regular updates on progress and residual risk.

The review builds on a decade of similar work, including a 2016 review of information security management and a 2019 review of legacy systems across 18 major agencies. 

The report describes legacy ICT as a continuing whole-of-government issue. It is available at audit.sa.gov.au.

 

Business Solution