Audit of Government Websites

The Australian National Audit Office has issued a report on Government Agencies' Management of their Websites. This assesses how well the web sites are managed at the Australian Bureau of Statistics, Department of Agriculture, Fisheries and Forestry, and the Department of Foriegn Affairs and Trade. The purpose, risk management, planning, policies, content management procedures, performance monitoring and reporting for the web sites was looked at and found to be adequate overall. A summary of the results is available in web format and the full report in PDF. Unfortunately the ANAO made the mistake of listing the full report before the summary. As a result many people will end up with 1.7 Mbytes of PDF download, when they most likely would be happier with 40 Kbytes of web page:

• Background
  
• Audit approach
  
• Overall audit conclusion
  
• Key findings (by Chapter)
  
• Summary of agencies' responses
  
• For more information please contact
• Download 2008-09_Audit_Report_13

Overall audit conclusion

Over the past decade Australian Government agencies’ use of websites to provide information and services has grown significantly, to the point that, at the beginning of 2008, the Australian Government had more than 800 websites accessible via the Internet. Websites are now an integral part of program delivery for many agencies in contributing to program outcomes.

Effective website risk management, content management and monitoring provide a sound basis for the design, implementation and operation of websites, helping to ensure that appropriate and current information and services are delivered at planned levels. Sound website management will be underpinned by a clearly stated purpose developed in association with an agency’s business goals and risk management. Such an approach allows the significance of a website to service delivery to be taken into account by agencies in making decisions on website management.

Overall, the ANAO concluded that, for the five websites examined in the three audited agencies, management processes and practices provided an adequate level of support for the delivery of information and services via those websites. However, given the increasing emphasis on the use of websites for service delivery, the audit identified scope to improve the three agencies’ website management.

While the audited websites each had a purpose, for most it was not clearly stated and there was little documentation showing how the purpose guided decisions on website use. This made it difficult for the owner agencies to monitor the contribution and impact of each website to the relevant program and agency outcomes.

The survey data identified considerable diversity in the number, size, and type of websites and supported the importance of website management being tailored, taking into consideration risks. For example, one large agency had 96 websites, and the surveyed agencies’ websites varied in size from 35 to 900 000 pages. Agencies with multiple or large websites faced increased risks associated with opening and closing websites, and managing growth in website content. The level of supporting website risk management documentation could be improved given each website’s risk profile, and that each of the agencies had multiple sites.

A majority of the website risk management documentation for the audited agencies was covered in ICT security documentation, but varied in both the scope and type of the risks covered. In addition, two of the audited websites had not reviewed their website risks for up to three years. In this time, one of these sites had changed from an information-only site to a transactional site, while another site’s purpose also had changed. Periodic review and treatment of risks, specifically where the website has undergone significant change, reduces the likelihood or consequence of new or emerging weaknesses or threats to the achievement of program outcomes. This is particularly important for websites that are integral to service delivery given the key role of websites with customers and other stakeholders.

The audit also identified that government websites are growing in size, which by its nature influences the risks of websites containing inaccurate, superfluous and or outdated information. Four of the five websites examined had adequate processes to record changes to website content, archive these changes, and to record approvals. However, one of the websites, important to the provision of information to the public, had no documentation to specify content management processes. This increased the risk of the agency publishing misleading information.

Also, agencies with large or high risk websites can benefit by introducing automated content management systems. These systems provide assurance that website content will not be published without approval, and they store website content changes, and retain copies of documents prior to changes being made.

All of the audited agencies monitored website user activity and satisfaction. However, none of the audited agencies reported specifically on how their websites were meeting their respective purposes and how they were contributing to agency business goals. Also, most agencies had little information on the costs of operating and maintaining their websites. Agencies with websites that pose significant risks to service delivery or that have multiple websites would benefit from an improved understanding of their website user activity, performance, and cost information. ...

From: Government Agencies' Management of their Websites, Report Number: 13, ANAO, 16 December 2008.