Audit snapshot
What we reviewed and why
We reviewed the extent of legacy ICT systems operating across SA Government agencies and the risks they create for service delivery, security, performance and long-term sustainability. Legacy systems remain in use when ageing, complex or tightly integrated technology is too costly, risky or difficult to replace.
In 2025, we surveyed 18 agencies to gather high-level information about legacy systems in their ICT environments. We then selected 10 agencies to review how they are managing the operational, security and governance risks of legacy applications, operating systems, hardware devices, database management systems and virtualisation platforms.
This review builds on our earlier work over the past decade, and reflects the continuing significance of legacy ICT systems as a whole-of-government issue. It also considers whether agencies are identifying, documenting and reporting legacy system risks to governance committees so they can be prioritised for treatment, upgrade or replacement.
What we concluded
Legacy ICT systems remain common across agencies and continue to present significant operational and security challenges. In many cases, these systems remain in use because agencies do not have sufficient funding, resourcing or replacement pathways to modernise them.
We found weaknesses in how some agencies manage legacy system risks, including incomplete asset inventories, limited formal risk assessments, gaps in risk register documents and inconsistent reporting to governance bodies. These gaps reduce visibility of risks and can delay action to remediate or replace systems.
We concluded that agencies need to adopt a more structured, risk-based approach to managing legacy ICT systems. This includes completing modernisation projects, maintaining better visibility of legacy assets, documenting risks and treatments more clearly, and ensuring governance committees receive regular updates on progress and residual risk.
Key facts
Of the ICT systems we assessed in 2025, these qualified as legacy systems:
