Prudential Standard CPS 234, which outlines the information security requirements that APRA regulated organisations must comply with, is a mandatory regulation issued by APRA to ensure that your organisation’s information assets remain safe and secure from breaches.
In order to increase the rigour of compliance of CPS 234, Boards of regulated entities are required to engage third party independent Auditors to undertake a thorough CPS 234 compliance audit, with the results reported to both the Board and APRA.
APRA has developed a program of tripartite independent information security compliance reviews across all its regulated industries to ensure these audits are being conducted and the entities are complying with the Standard. It has recently begun issuing notifications to regulated financial institutions advising them to start preparing for these reviews.
All APRA-regulated entities, which include:
Compliance with the Standard will ensure the following within your organisation:
As cybercriminals and their programs become more advanced, so too should Australian cybersecurity systems – and CPS 234 ensures that these businesses continue to develop and maintain their online defences. It goes without saying that non-compliant organisations are operating at a much higher risk of being exposed to a cyber security breach, including business interruption, confidential records being compromised or fraud. Additionally, formal enforcement action may be taken for non-compliance and potential breach notices could be issued by APRA.
In order to meet the CPS 234 Standard, your organisation needs to employ an independent Auditor to undertake a thorough audit.
Centium is uniquely qualified to perform the requisite compliance audit and report as per Australian Standard on Assurance Engagements ASAE 3100 Compliance Engagements (ASAE 3100), issued by the Auditing and Assurance Standards Board.
We will:
If your organisation needs a helping hand in complying with APRA’s CPS 234 Standard in order to increase your security and better manage your information assets, Centium is more than happy to discuss how we can help you.
For more information, please contact Scott Thomson, Director Cyber & IT on 0412 562 797 or scott.thomson@centium.com.au.
For further information about our service, team and experience, refer to our capability infosheet. If we can assist you, please don't hesitate to get in touch.
Workplace investigations of alleged misconduct can absorb a significant amount of resources and potentially contribute to industrial relations problems and staff morale issues. A well-conducted, independent investigation of alleged workplace misconduct can greatly assist in effectively and fairly resolving a complaint and mitigating these organisational and employee impacts.
But a badly conducted or poorly documented investigation can only add to an organisation's problems, inviting scrutiny and challenges.
To avoid this, you need to ensure that all investigations reports are fit for purpose and demonstrate that the investigation was timely, complete, detailed and fair.
Without a clear process in place, this isn't easy to do. So, Centium's expert investigators have put together the following simple report evaluation checklist to help you identify the good from the not-so-good.
The investigation achieved its purpose within the scope defined in the client-provided terms of reference and followed applicable policies and procedures.
The investigator made all necessary enquiries, via a combination of document review and interviews.
The findings of fact and the reasons for those findings were sound and evidence-based.
The reasons the investigator did or did not pursue any lines of enquiry that came to light during the investigation were clearly articulated.
The investigation was fair to all parties, and the respondent was:
The report concludes whether the allegations were substantiated or not substantiated and provides sufficient information to support such conclusions.
Any mitigating circumstances associated with the findings are described and explained, which the delegated decision-maker can defer to when determining future action.
The reason for any delays that occurred during the investigation is set out, noting that such delays should have been brought to the client's attention during the investigation.
All witness statements or interview transcripts and documentary evidence are attached to the report.
A good quality investigation report:
Centium provides investigation services to more than 100 organisations and has conducted more than 2,000 workplace and code of conduct investigations over the last two decades.
Our Ethical Conduct & Investigations specialists are committed to assisting our clients to achieve and maintain a robust governance framework and an ethical workplace culture. We can help organisations carry out investigations, review reports and improve complaint handling systems and processes.
To learn how we can assist your organisation, please contact Peter Mulhall, Director, Ethical Conduct & Investigations on peter.mulhall@centium.com.au or 0416 161 819 or browse Centium's Ethical Conduct & Investigations services.
Before you answer…
Cast your mind over recent publicly prominent investigations that have raised organisational risk management failings, with ever-increasing scrutiny of organisational risk culture.
Imagine for a moment a research department seeking to be the first to deliver new technologies. What if, in the race to deliver, staff take unacceptable risks and develop work-around technologies to meet the targets at any cost? What if these technologies go on to dupe millions of customers and cause untold reputational damage to the company? You don’t have to imagine, just remember Volkswagen’s recent failings.
Now consider a company that incentivises its employees using aspirational sales targets – these employees go on to not only exceed the targets but achieve unimaginable growth. What if these staff were taking risks and not following company policies to meet the targets at any cost? What if that same company then went on to charge customers for products/services they didn’t want? What if this company also suffered massive data breaches? It’s not a what if. Not long ago, Wells Fargo was found to have pursued a business strategy that prioritised growth without ensuring appropriate management of risks.[1] What does this say about risk culture?
Closer to home, reflect on the now very public risk management failures of the Crown Resorts Group. The public inquiry, led by Patricia Bergin SC, highlighted (amongst other things) the misalignment between day-to-day practices, management reporting and the Board’s own risk appetite. What does this say about the Crown’s risk culture if the management team determined to handle important developments themselves…without “troubling the Board”?
So – how’s your organisational risk culture?
An organisation’s risk culture encompasses an array of behaviours, beliefs attitudes and competencies associated with perceptions of risk and related decision-making.
Risk culture is a subset of broader organisational culture, or ‘the way we do things around here” - noting that there may be several such cultures within an organisation.[2]
Collectively, risk culture determines a team, division, department or possibly an organisation’s commitment to the principles and practices of risk management. Alongside risk management frameworks, culture is a key influencing factor with respect to how individuals, teams or groups identify, manage, report and escalate risks.
Mature organisations effectively manage their risks. Such organisations have well-developed risk management frameworks, comprising formal policies, procedures, systems and processes.
More importantly, organisations with mature risk cultures have:
There are a number of common pitfalls and/or reoccurring themes amongst organisations with less mature risk cultures
Perhaps the most common issue is that of a poorly constructed, broken risk management system. Or worse still, an IT system that drives rather than supports risk management. Risk management systems that fail to adequately capture and report risks become a hindrance to risk culture. Over time, such systems become sidelined and eventually all but ignored.
Typical pitfalls include the capture of too many risks; inconsistencies between system and organisational risk levels; overly complicated monitoring and review processes; insufficient training; and inadequate consideration of the resources required to both administer the system and ensure ongoing compliance.
A mature risk culture is underpinned by a system that is capable of capturing, managing and manipulating risk data. Implicit in this requirement, is that there are processes by which risk owners keep this information up-to-date to enable accurate analysis and reporting.
No two people perceive risk in the exact same manner and as such, an organisation made of many individuals will generate many differing views on risks. By way of example, a retrospective examination of critical incident causation will generally highlight differences in individual perceptions of risks and possible consequences.
Better practice organisations define and communicate risk behaviours and attitudes, and ensure that these are built into recruitment, induction, as well as training, information and awareness initiatives. Lessons learned are communicated so that corrective action can be taken, and employees are encouraged to report concerns.
Organisations often promote positive achievements/activities irrespective of the fact that such actions incorporated a level of risk that attracted (or should have attracted) additional scrutiny and management oversight. This can lead to an escalation of risk tolerance and related attitudes/behaviours outside the desired culture, possibly increasing the overall risk.
Within a strong risk culture, risk roles, responsibilities and tolerances are clearly defined. While achievements are celebrated, lessons learned are reviewed to consider impacts on risk tolerances. In addition, risk tolerances are periodically reviewed by governance committees, including the Executive, Board and Audit & Risk Committee. Importantly, decision-makers understand the organisation’s risk appetite and act/escalate matters outside agreed tolerances.
Another common issue associated with poor organisational risk culture is inadequate or unclear communication regarding acceptable and unacceptable activities/behaviours.
Organisations with mature risk cultures communicate clearly, consistently and often. These organisations look for every opportunity to incorporate conversations about risk management into day-to-day activities and performance discussions; include risk management as a standing agenda item on team meetings, and ensure risk policies, procedures and systems are accessible and understood by staff.
It should come as no surprise that regulatory bodies are increasingly scrutinising risk culture. Public sector organisations are also increasingly coming to value a strong risk culture and hold their organisational leaders accountable. Independent assessment of risk culture is also an expectation of Boards and governance committees.
As recently noted by the Institute of Internal Auditors (IIA) Australia, there is currently no prescriptive role for the internal audit activity to audit risk culture. However, given the requirement to independently assess risk maturity and culture, there is an increasing role for internal audit in this regard. External collaboration with like organisations and risk specialists is also central to a mature risk culture.
There are a number of fit-for-purpose tools available to assess risk culture maturity, including Auditing Risk Culture: A Practical Guide (IIA 2021). The NSW Treasury has also released a Risk Maturity Assessment Tool Guidance Paper that can be adapted for various sectors and business contexts.
Risk management is frequently perceived as a defensive discipline. At Centium, we see risk management as a positive force that benefits all organisations. Properly executed and integrated into strategic and operational planning models, risk management can be used to prevent or mitigate negative events.
Risk management is also important in enabling organisations to take better advantage of positive events and opportunities for growth. Risk culture and risk maturity assessments are thus an exciting extension of this discipline. These services are further enhanced by expert advice and support to assist organisations build risk maturity via a fit-for-purpose program of works.
Contact our Director Risk & Assurance for a no-obligation discussion on 0409 251 011 or at penelope.corkill@centium.com.au. Alternatively, browse Centium's range of Risk & Assurance services.
[1] Press Release, US Federal Reserve, 2 February 2018.
[2] Auditing Risk Culture Guide, IIA, 2021.
In a month where billionaire entrepreneurs are reaching for the stars (or at least the edge of space), we thought it was timely to share our research and recent experiences about the audit topics that are trending in the Local Government audit universe.
Councils are probably aware that the NSW Audit Office has recently published an annual summary of its Local Government Internal Audit Program. This informative document (and there’s a short video for the time-poor) includes trends and patterns that might be of interest when planning a risk-based, local internal audit program.
More importantly, with Local Council elections postponed until December 2021, we expect that Council strategic and operational planning will be similarly pushed back. This presents an opportunity for internal audit to provide assurance regarding the management of high risks and the effectiveness of governance frameworks prior to the commencement of a new Council.
To ensure long-term effectiveness of frameworks and that new councils are well-positioned to continue to produce the best service delivery outcomes, Local Government internal audits should consider the following high-risk areas:
An effective risk-based, internal audit plan enables well-run Councils to focus resources on their highest risks - as well as areas that may be perceived as being of concern for new and incoming Councils.
Centium offers an independent, insightful and practical perspective. Importantly, we develop strong partnerships with our clients to provide assurance, build capacity and facilitate ownership of outcomes. We are also available to provide advice and facilitate management discussions regarding risk.
Browse Centium's range of Risk & Assurance services or talk to us about how we can help.
The Australian Cyber Security Centre (ACSC) has updated its Essential Eight (8) Maturity Model in July 2021 to counter the sophistication of different levels of adversaries rather than just being aligned to the intent of a mitigation strategy.
The ACSC asserts that the maturity model is focused on "Windows-based internet-connected networks", and while it could be applied to other environments, other "mitigation strategies may be more appropriate".
The following are the key high-level changes made within the updated Essential 8.
Many of the details have changed, becoming more definite while also reducing timeframe recommendations. The following are the key technical changes:
To know more about the ACSC Essential Eight requirements, please visit the ACSC website.
We have a team of ISMS experts and cybersecurity specialists who have worked with dozens of State Government agencies across NSW. We have also mapped out all related processes and requirements across Essential 8 and have developed a suite of (fully compliant) shortcuts and helpful “lessons learnt” to share with our clients. We can help you with the following:
For more information, please contact Scott Thomson, Director, Cyber & IT on 0412 562 797 or scott.thomson@centium.com.au.
Explore Centium's robust and proven Cyber, IT & Business Continuity for small and medium Government organisations.
[1]Our thanks to the ACSC for proactively updating Essential 8 requirements and providing us with a supporting guidance document to understand the context of these changes.
Most Chief Financial Officers are under time pressure – having to do more with less. Not only does the CFO have to ensure the controls over transaction processing are in place and the reporting ticks over like clockwork, but he/she also has to provide financial insight and significantly contribute to the Executive team.
The CFO is expected to facilitate the creation of a relevant and flexible plan which provides direction and improves business performance. With increasing uncertainty, business ambiguity, and environmental turbulence, there are great difficulties understanding what the future holds and how we should respond to various factors such as climate change, the COVID-19 pandemic, and trading partners. Some industries benefit and others are severely impacted. But all businesses need to develop a plan to be “future-ready”.
The desire is for the CFO is to have more time and control, less stress, improved decision making, better business alignment, and a forward-looking approach. The CFO needs to have a seat at the decision-making table and to be relevant to the CEO’s strategic thinking. The old response of a CFO to guess that next year’s revenue will be last year plus inflation plus 5% for growth are no longer good enough. Knocking up an Excel spreadsheet over the weekend with a bit of hope and ambition embedded in the formulae has become inadequate.
Some answers which many have tried, include:
High performing CFOs, who have a seat at the decision-making table, approach planning in a manner that is consistent with and contributes to the CEO’s strategic thinking and objectives. They are expected to facilitate relevant and flexible plans, to provide direction and improve business performance. How to deal with radical uncertainty is therefore a constant challenge.
Models and frameworks do exist, which the CFO can utilise, to accommodate extreme environmental unpredictability such as climate change, COVID-19, trading partners and other factors.
These models and frameworks can be best understood by taking into account the six non-negotiable lenses which will give rise to better, more strategic, ‘future-ready’ planning and decision making.
In Australia, most businesses use a fixed 12-month period for the budget which usually finishes on 30 June, occasionally 31 December. The right time for a plan horizon should usually be determined by decision making lead times – and so will vary between and within businesses. The Capex budget for a mining company could be 5 plus years. The longest lead time for a new product could be 12-24 months. So the plan horizon should be at least 12 months. StatOil in Norway operates an exploration business with long lead times, a retail business with short lead times and a refinery business which has lead times somewhere in between.
So, this and other recent international trends seem to confirm that effective businesses today need to operate with a horizon greater than 12 months. This requires the adoption of a rolling forecast where the horizon rolls forward such that there is always a consistent level of visibility.
The conventional approach of 12 months fixed to 30 June determines that the length of the horizon will vary depending on the point of time during the year. Using a car-driving analogy, during the budgeting cycle we shine a strong light into the future, then we “turn off the high beams” and start driving into next year with low beams only. At the beginning of the year our lights illuminate all four quarters ahead. As we drive on and the quarters pass, the low beams gradually get covered in mud and become weaker and weaker… but we do not mind as long as we can see until year-end…Is this a safe way of driving in the dark?”
The following diagram illustrates this diminishing visibility of the future time after the wall of 30 June is reached.
A driver-based rolling forecast is a management tool that enables a continuous planning process unencumbered by fiscal accounting periods.
The focus for this tool is the ongoing planning for the revenue required to maintain/grow profit margins, and the resources required for optimal capital investment – ie continuous “keep the lights on” work.
This continuous planning process immediately reflects known changes in sales, capital requirements, deteriorating delivery infrastructure, economic conditions, external forces and/or anything else that will affect the future physical and financial condition of the company.
Most businesses who have adopted rolling forecasts operate with a horizon that is longer than a year. Amex uses five quarters; Unilever Canada uses 18 months. This might not sound like a big change, but in fact, an 18-month rolling forecast, updated every quarter, can increase visibility by a factor of 3 over 1 within a fixed annual period.
The revenue element of the budget process is the hardest to forecast, as it is the most turbulent. Often the business drivers and the business model are not well known by those who are entrusted with preparing revenue projections. However, trying to ensure such projections are as accurate as possible is vital, as revenue drives the rest of the business.
Typically, when formulating the budget, the management team is comfortable with the expenses area of the forecast. This is reflected in the level of detail, most of which is historically based. Yet when looking at forecast accuracy, it is the revenue which has the greatest impact, both positively or negatively on the result. The level of revenue-related detail is often only a few lines, which reflects how poorly the causality of revenue is known or can be easily controlled.
Driver-based forecasting focuses first on planning for the work that drives the economics of the business, such as:
The key benefits of Driver-Based Planning are:
The key steps in getting ready for Driver-Based Planning are:
Case Study: For a major university we looked at the major drivers, which for revenue were student enrolments (by degree type, under and post-graduate by subject area), and for costs were staffing numbers (staff rates by position and level). By factoring these drivers in we were able to develop the following financial forecasting models.
Faculties and Schools are responsible for carrying out the day-to-day teaching and research operations of the university. As such, they are in the best position to understand the detail of their operational drivers. The design of the University’s 5-year forecasting model is depicted below:
Model Design – Inputs (Drivers): Focusing on the key drivers of the university will enable the Finance team to formulate the forecasts quickly, with more time available to spend on analysing, rather than collecting data. Assumptions and rates should be pre-determined to ensure consistency across the university and ease of collection.
All of the major banks in Australia use 5-year financial models to project their P&Ls and Balance Sheets. They are trying to address their interest rate risk (i.e., how their products change in terms of rates and volumes based on changes in the underlying market interest rates.) They have sophisticated software, measures, and risk appetite targets with formal decision-making processes driven by a powerful ALCO (Asset/ Liability Committee). The goal is to understand the nature of risk under different situations and to address strategies to mitigate the risk.
Case Study: For a major University we developed a base case and financial management plan and budget and then added on scenarios for changes in research funding and student enrolments.
Business confidence comes when a forecasting model is transparent and inclusive. Accordingly, getting participation from all relevant parties was vital to the forecasting process. Once the base case was developed, sandpit scenario modelling led to the development of management playbooks. Various forecast scenarios assisted in developing budgets and forecasting plans to help the University shape a different future, thereby enabling the organisation to become ‘future ready’.
This led to the development of a range of management playbooks that addressed changing student numbers by +/- 10% and changing research by +/- 10%. This process (which is depicted below) resulted in the following significant improvements:
Most financial models are developed using Excel. However there are many limitations to spreadsheets which are improved by using specialist budgeting and planning software.
The Planning team should lead a process to make better smarter decisions. As well as producing an information pack which includes the financial results and future plans, the finance team should identify options, make recommendations and lead a discussion to support the Executive Leadership Team to make smarter plans. The Finance Team needs to help facilitate answers to these questions and to then clearly and consistently communicate these to all relevant parties.
The big opportunity for the ‘modern’ CFO is to not only gain more time in the planning process, but to also be more relevant to and an integral component of the Executive’s strategic planning and decision-making functions.
The key message is that while CFOs cannot 100% accurately forecast the future for both them and their organisation, with ‘good enough’ foresight, wise preparation, and timely action, they can significantly contribute to making their organisation’s future direction and desired performance levels much more predictable. The best analogy is for the CFO to be more aligned with the navigator of a sailing ship, rather than a fortune teller.
Centium’s Director Financial Management Consulting (Grahame Scriven) has many years’ experience in the Financial Services, Commercial, Government and Education sectors. He has lived through the transition stages of the ‘modern’ CFO and has personally implemented many of the strategies referred to above.
If you would like to have a confidential and obligation-free discussion, please email or call Grahame Scriven on grahame.scriven@centium.com.au or 0422 773 352 or contact us to arrange a 1-hour Teams meeting or else an in-person consultation to address your business challenges and how Centium can help. Browse additional information about Centium's Financial Management Consulting services.
The buzz term of recent years in local government has been ‘smart cities’ – a pretty exciting concept for those people working at the heart of delivery services in our communities. Billions of connected devices instantly translate our physical world into the digital realm by capturing and analysing data about our surroundings in real time.
As examples across the developed world are already proving, it’s no exaggeration to say that the IoT (Internet of Things) has the potential to dramatically transform how we live and work, including:
Connecting our homes and workspaces can deliver enormous efficiency, safety and convenience benefits. Yet the networks of sensors, the data they collect, and the complex software and algorithms used to analyse the data are now combining into IoT ecosystems that challenge traditional governance approaches.
The question needs to be asked: is it smart to connect multiple infrastructures and new built environments, without designing and factoring in security against potentially debilitating cyber attacks?
Think of that classic movie scene – from virtually any era you might belong to – where a city is bought to a standstill by criminals in control of a city’s traffic light system. They are able to flee the crime scene after a heist, with the city in gridlock and police unable to pursue them.
Now extrapolate from this to the smart city environment. We don’t need to paint some kind of doomsday picture. But the fact is if we think about all the smart sensors we are deploying across local government infrastructure, to collect data in order to make services more efficient, or to optimise other characteristics to serve our communities, the compound effects of a cyber attack are magnified.
Smart cities really are not smart unless they are secure. IoT environments are different in a number of critical ways to what we might consider ‘traditional’ connected environments. The vast number of interconnected devices and sensors in the IoT environment offer hackers a huge choice of points of entry or attack.
Devices such as routers that aggregate IoT data may have numerous vulnerabilities. Most IoT vendors offer their own devices and network elements, with different security features, capabilities and levels of protection, making it very difficult to develop industry-wide security protocols. Many IoT systems are connected to sensitive corporate and government networks, offering hackers especially tempting targets.
It’s time for a new set of governance arrangements around ubiquitous connectivity – the IoT and smart cities – to safeguard our built environments, our food production and every aspect of our interconnected world.
We need to get this right for the safety of our citizens. Already, there are more connected devices than people in the world, and it is predicted that by 2025, 41.6 billion devices will be capturing data on how we live, work, move through our cities, and operate and maintain the machines on which we depend.
When we reach ubiquitous connectivity, which is not far away, the consequences of a major cyber attack will be of a far different scale to those we regularly read about in the news today.
Perhaps one of the biggest risks we face is the relative lack of awareness of security amongst the community. We are recently witnessing Government agencies taking cyber security training for their staff seriously. However, what is further required is for all workplaces to take a far greater responsibility for public awareness of ‘security by design’.
As the tipping point of connectivity is reached, where more everyday ‘things’ are connected than not, there will be an urgent need to remediate any organisations that do not have strong basic cyber security measures in place. This will need to be augmented by more specific standards and certifications for industries with particular exposures.
Smart technology represents huge opportunities and enables many benefits across council and community settings. There are already many examples of projects across NSW where technology is being used to enhance the lives of the citizens of NSW, including:
IoT technology has also been successfully used to help fight the COVID-19 pandemic, utilsing smartphones and wearables to monitor social distancing and aid contact tracing.
But it’s not an easy job for our local Councils to concurrently deliver a diverse range of community services, while also ensuring the cyber security of its essential services and operations. The incredibly fast pace of digital change, compounded by the impacts of recent events like drought, bushfires, floods and the COVID-19 pandemic, means that Council finances are stretched to the limit. Leadership is thus required to ensure the implementation of best practice security standards, and to ensure that the ‘crown jewels’ of local Council infrastructure are protected with the relevant cyber security controls.
Last year the State Government’s $45 million Smart Places Strategy assisted some NSW local Councils with the uptake of smart technologies. Conversations with local government officials reveal that funding is beginning to trickle down from the State to local level with some targeted resources provided. However, we can’t under-estimate the scale of the challenge facing Councils as the owners of some very significant infrastructure, as it becomes more connected.
To successfully address these challenges, Councils will need to start:
Technology now reaches into most aspects of our lives, whether we live in a ‘smart city’ or not. It guides our spending decisions, directs us home, informs our holiday plans, tracks our movements and aids our productivity in many ways. This places even greater importance on ensuring the continuity of and security of services to ensure we are rarely, ideally never, disconnected. The Audit Office is rightly taking what this means for the security of both State and Local Government very seriously, by reaffirming their commitment to an audit programme of NSW Council cyber security in the remainder of 2021.
Centium works closely with a number of Local Councils and State Government colleagues to implement information security best practice. We ensure these agencies are compliant with all requisite standards and their staff are trained in their roles and responsibilities. We also test the preparedness of our client’s response to potential threats by conducting tailored, real-life simulation scenarios.
For a free, no obligation conversation about getting started with the next phase of your cyber security journey, call Centium’s Director Cyber & IT, Scott Thomson, on 0412 562 797 or contact us online.
Cash transactions are slowly dwindling in Australia. The Reserve Bank’s 2019 Consumer Payments Survey found that only 32% of in-person transactions are conducted in cash, with the fall in small transactions (i.e. under ten dollars) particularly pronounced given “tap and go” technologies.
The percentage of cash transactions has decreased even further over the past year, as a result of the Covid pandemic.
But despite its recent fall in popularity, there is no denying that cash will continue to be regularly used by some customers (such as older persons), and occasionally by all of us (due to system outages and accessibility issues). Because of this, most businesses will continue to accept cash transactions, and accumulate cash takings throughout the day.
These takings remain attractive and subject to risks - namely financial, physical security and fraud.
It is suggested that while businesses continue to accept cash transactions there is still a role for internal audit. However, in our experience, a more modern approach is required to enable internal audit to monitor cash handling activities and build capacity as part of its “first line of defense”. This could involve such aspects as CCTV surveillance monitoring and notification to the public; staff safety regarding potential armed hold up; counterfeit notes information, identification and reporting procedures; and strategies to maintain a low level of cash on hand, including monitoring the frequency of cash collection by armed security.
Centium specialises in minimising risk for small to medium organisations, many of whom deal with a broad range of businesses that handle cash.
Our team has developed a self-assessment checklist, which is based on good practice controls and is designed to be completed by front-line supervisors on an agreed periodic basis. It can also be adapted to support staff induction activities.
The checklist includes the following cash handling aspects:
For a FREE COPY of our self-assessment checklist or for more information as to how we could help your business improve its cash handling and financial operations, Contact Us online or give us a call on 1300 237 810.
Still prefer Credit Card payments? Don’t forget that all organisations who receive credit card payments have responsibilities and obligations to comply with, as per the Payment Card Industry Data Security Standard (PCI DSS). Click here for further details on how best to stay compliant.
Privacy Awareness Week is a global campaign that highlights the importance of maintaining privacy and raises awareness for public sector agencies about how to protect the personal information of the people they serve.
Respecting privacy is important because it can be highly personal. We are all different, and everyone has different ideas about their privacy. While some people might not be concerned about certain information being kept private, others have their own reasons to worry – including reputational damage, previous trauma or anxiety, a history of harassment or abuse, or even prior experience of identity theft.
Personal information is:
Personal information is not:
Under NSW privacy laws, public sector agencies and their staff are responsible for protecting the personal information they collect.
Government organisations hold a wealth of personal information, with some examples including:
| 1. Records of property ownership | 8. Leave and salary details |
| 2. Submissions | 9. Complaints, investigations and disciplinary matters |
| 3. Various kinds of applications | 10. Qualifications, tickets, licenses and education history |
| 4. Service attendance lists | 11. Pecuniary interests returns |
| 5. Petitions | 12. Tax file numbers and bank account details |
| 6. Booking systems | 13. Performance management plans |
| 7. Insurance claims | 14. Medical certificates |
There are legal obligations by which NSW public sector agencies, statutory bodies, universities and local councils must abide by when they collect, store, use or disclose personal information.
These obligations are outlined in the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act).
It’s simple. If staff have access to personal information and receive a query or request for that information, they need to think about their privacy obligations. Staff should look for all possible reasons as to why the information might be sensitive, and always comply with the rules set out in the legislation.
Importantly, staff should not become complacent and should actively participate in training regarding their privacy obligations.
Centium has developed a new Privacy eLearning module based on NSW legislation. The module aims to raise awareness of the importance of privacy and provide practical information to allow staff to fulfil their legislative obligations.
Our suite of eLearning modules:
In addition to our Privacy module, Centium has also developed other eLearning modules on the Local Government Code of Conduct, Records and Information Management, and the Public Interest Disclosures Act.
To discuss your information and governance training needs or for more information about how our eLearning solutions can meet your unique needs and circumstances, please contact us or check out our Learning and Development services.
The Auditor General’s Report into Local Government published on May 27th highlights how important business continuity activity will be to local Councils for the remainder of 2021. The Report concluded that Council’s plans need to be updated to reflect lessons learnt from the disasters of recent years. The Audit Office will be conducting a performance audit of business continuity planning in the coming months.
Amongst all the doom and uncertainty associated with Covid-19, there was one tangible benefit that emerged for most organisations. That was that they were compelled to review the currency and efficacy of their Business Continuity Management (BCM) framework and implement (in real-time) their Business Continuity Plan (BCP).
While the vast majority may not have included such a significant pandemic event in their BCP, the better-managed organisations were able to quickly address this anomaly, confront the prevailing challenges and are now recovering in a ‘new normal’ operating environment.
While we all certainly hope we don’t face an event like Covid-19 again any time soon, it has shown us the importance of having the appropriate preparations and frameworks in place in case of business disruption. Ensuring you’re aware of the components of a robust and dynamic BCM framework – and that these components are actively reviewed and fit for purpose – has maybe never been more important.
A BCP gives your organisation a structured approach to respond to unexpected business disruptions, such as fires, floods or severe weather events, IT outages, cyber incidents, outbreaks of pandemics or supply chain outages.
When it comes to ensuring your organisation can survive these kinds of incidents, maintain its operations and protect its reputation, brand and shareholder value, there is certainly truth in the 16th Century saying, “forewarned, is forearmed”. Industry research by the USA Federal Emergency Management Agency (FEMA) shows that “40% of businesses that have no plan do not reopen following a disaster and an additional 25% will fail within one year.”
In some industries, Business Continuity Management is mandatory or even regulated (such as financial services). In others, such as the media industry, it’s not even on the radar. Regardless of whether you are mandated to implement BCM or not, there are many benefits for doing so, including:
Of course, some say that the time and cost to implement and maintain business continuity management is not worthwhile. They’d prefer to simply deal with an incident or disaster if and when it arises or hope that all business risks will just ‘go away’. But with the frequency, severity and impact of all types of incidents and disasters on the rise (including cyber incidents, climate-change related natural disasters and the current pandemic), there is an increasing demand for organisations to increase their business resilience and continuity capabilities.
There are numerous local and international standards for business continuity management, as well as those from the likes of the Disaster Recovery Institute .
Regardless of which methodology you adopt, there is consensus that BC projects should be broken into several project stages or phases, as demonstrated in this diagram and detailed below.
While a BCP format varies widely depending on the audience and intended use, a mature Plan will include quick reference ‘aid-memoires’, handbooks, business unit or location-specific plans, and executive focused Command Team’ plans. Increasingly, BCPs are made available online via specialist business continuity software packages, intranet sites and smartphone applications.
When deciding on BC Plan structure, format and content, no one size fits all. Whether you opt for 100+ page documents, BC Summary Handbooks or 1-page Quick Reference Guides, the considerations include:
Ultimately, a combination of various continuity plans may be needed to meet all of your organisations’ stakeholder requirements.
Perhaps the most important aspect of Business Continuity Management is that it is viewed as a “process, not a project”. Point-in-time risk assessments, business impact analysis, business continuity strategies and plans can quickly become out of date, given today’s dynamic nature of business. Changes in business location, structure, staffing, processes, IT infrastructure and applications are all aspects of organisational change that impact continuity strategies and plans. And with out-of-date business continuity plans providing a false sense of security, relying on them can be fatal to business survival.
Therefore, a clear plan of governance and maintenance activities is critical to the ongoing success of business continuity management. This should map out the timing and responsibilities for all activities: risk business impact assessment reviews, business continuity plan updates, revision of education and training for staff and continuity team members and testing and exercising activities.
Industry good practice recommends annual governance and maintenance. The timing of these actions is dependent on many factors (such as company size, industry, regulatory requirements, budget availability and risk appetite). However, in our experience, relying on an annual review is fraught with danger and ideally continuous, or at a minimum quarterly, activities maintenance program should be put in place.
Centium has partnered with a specialist Business Continuity service provider who can carry out all aspects of business continuity planning for your organisation. With over 20 years in business, over 140 clients, and over 450 consultancy projects, our accredited BCM partner can quickly and efficiently develop solutions tailored to your specific needs. Further, they offer an outsourced ‘managed service’ to ensure your plan is actively maintained, is current and always fit-for-purpose.
Combined with Centium’s in-house expertise in resilience, cyber and risk management services, we can provide our State and Local Government clients with a comprehensive and robust business continuity management service. This service is further enhanced by a tailored knowledge sharing and training program, which in turn enhances the effectiveness and timeliness of any identified corrective actions.
Contact our Director Risk & Assurance for a no-obligation discussion on penelope.corkill@centium.com.au or 0409 251 011
A cyber security penetration test (colloquially known as a pen test and sometimes described as ethical hacking) is an authorised simulated cyberattack on a computer system, performed to evaluate the security of the target system.
Pen tests are frequently mentioned in the media, yet when they are reported, their results are never released. That keeps the results confidential and secure – and ensure hackers can’t decompile them for their own further nefarious uses. However, for the external viewer, there is always an element of mystery and IT technical complexity surrounding these tests.
At the end of the test/s, a report is delivered to the client showing the weaknesses that have been found, so that the client can implement measures to reduce them. And there are other real benefits to pen testing, which we outline further below.
Potential benefits of a pen test include:
Some of the potential drawbacks are:
So, with all that mystery and IT technical complexity surrounding it, what does a pen test report look like? It will all depend on the outcomes and findings of those tests, and vary as much as the tests themselves. Always technical in nature and usually very confidential, the Executive Summary of a straight-forward pen test report can look similar to the example below.
There are numerous benefits from employing penetration testing, which clearly outweigh the potential drawbacks:
Protect corporate reputation and company profile Pen testing helps an organisation avoid data incidents that may put the company’s reputation and reliability at risk.
Identify and assess security threats Organisations can more efficiently anticipate potential security threats and avoid illegal or unauthorised access to crucial information and critical systems through executing regular and complete pen testing.
Avoid application and network downtime Pen testing helps an organisation escape financial losses by proactively detecting and addressing threats before security breaches or attacks take place.
Service outages and cyber events are expensive Regular pen testing reduces the risk of incurring these expenses by the organisation than to face exceptional losses, commercial confidentiality, service availability and customer disruption.
Compliance obligations The reports produced by the pen tests can assist organisations in demonstrating compliance with Government or regulatory body standards, such as PCI or ISO 27001 certification. It assists the organisations to demonstrate ongoing due diligence to auditors by maintaining required security controls.
Some companies make the mistake of starting a pen test too early on a network or system deployment. When a system or network is being deployed, changes are constantly occurring, and if a pen test is undertaken too early in that process, it might not be able to catch possible future security holes. In general, a pen test should be done right before a system is put into production, once the system is no longer in a state of constant change.
A pen test is not a one-time task. Networks and computer systems are dynamic — they do not stay the same for very long. As time goes on, new software is deployed and changes are made, and they need to be tested or retested.
How often a company should engage in pen testing depends on several factors, including:
Centium has partnered with two specialist Pen Testing firms who carry out the vulnerability assessments and penetration tests required to detail all risks pertaining to systems and applications in an organisation.
When combined with Centium’s in-house expertise in cyber and IT risk management services, we are able to provide our clients with a comprehensive vulnerability assessment service. This service is further enhanced by a tailored knowledge sharing and training program, which in turn enhances the effectiveness and timeliness of any identified corrective actions.
With Centium as your cyber security partner, you can rest assured that your valuable information and IT systems are protected, and you will be much better placed to mitigate potential cyber-attacks.
Centium specialises in cyber security and information management. Discover how we can help today by contacting us for a free consultation.
Our Clients
