Strengthening oversight and management of IT portfolios (…) These investments often lack disciplined and effective management in areas such as project planning, requirements definition, and program oversight.
Critical Actions Needed to Urgently Address IT Acquisition and Management Challenges GAO - USA 2025

The Danish Agency for Governmental IT Services has not upgraded or decommissioned servers, before the developer ceased to release security updates. Moreover, the agency’s overview of the servers is incomplete, which reduces the ability to respond quickly to cyberattacks and emerging cyberthreats.
Security of servers managed by the Danish Agency for Governmental IT Services Rigsrevisionen - Denmark 2023

Despite the widespread public interest in algorithms, no specific tools for auditing or analysing algorithms have not yet been developed / up untill this date. This is why we developed our own audit framework . It incorporates the standards that are currently used in order to limit the potential risks inherent to the use of algorithms. We link the aspects that are tested and the audit questions to these risks. The likelihood of the risks actually materialising in relation to a specific algorithm, and the extent of the damage thus caused, depend on whether or not sophisticated techniques are used, and on the source of the data, method of collection and quality of the data used, and the impact that the algorithm has on private citizens. Our audit framework intends to assist in making algorithms, and to foster debate on the potential risks of algorithms. Assessors and auditors will be able to use this audit framework in the future to assess algorithms in a consistent and uniform manner.
Understanding algorithms - 2021 NCA - Netherlands 2021

For improving the monitoring of the electronic environment of the state administration, in cooperation with CERT.LV, the Ministry shall develop criteria to identify institutions where CERT.LV should deploy security sensors and shall develop a strategy for broader installation and use of security sensors
Can we rely on the access to IS and the receipt of e-services? LRVK - Latvia 2024

The Cabinet Office does not have access to robust expenditure and benefits data from departments to take informed strategic decisions on protecting information. This is in part because departments do not always collect or share robust expenditure or benefits data. The Cabinet Office has recently collected some data on security costs, although it believes that actual costs are ‘several times’ the reported £300 million figure. Departments often do not share advice and knowledge effectively, either resulting in them repeating work at additional cost or missing the opportunities presented by adopting new technologies
Protecting information across government NAO - UK 2016

Checks were carried out irregularly and only after discovered incidents, queries/complaints from data subjects, or other external events.
Database access management RKTR - Estonia 2023

Ministry of Economy and Innovation does not monitor program implementation indicators. Without progress monitoring, delays in the implementation of strategic goals, objectives and measures are not identified before the end of the planned implementation period, so that actions can be taken to manage the risk of delays (subsection 2.1, page 22).-IVPK annually conducts a study of the use of electronic services, but the monitoring does not include the evaluation of all (64 351) provided electronic services, but only 12 main ones.
Management of digitalization of public and administrative services VK - Lithuania 2023

It is important that cyberincidents are reported immediately, to enable higher-level analysis and appraisal of the threat. This could allow the threat of a lateral spread across the entire Federal Administration to be contained or, at best, prevented. During the audit, the SFAO observed that communication with the NCSC needs to be expanded further. For example, horizontal management , especially the exchange of information between service providers, is not yet ensured in all areas.
Audit of the effectiveness of incident management in protecting federal ICT from cyber-risks SFAO - Switzerland 2022

Monitoring and control of the implementation of the National Cybersecurity Strategy is focused on continuous reporting on the progress achieved, but in 2019-2021 the strategy implementation results were not reviewed annually: from 2021 after the Law on Strategic Management came into force, the Ministry of National Defence did not collect and systematize information about the results of the implementation of the National Cybersecurity Strategy. The executors of the Strategy did not monitor all measures and evaluation criteria.
Cyber Security Assurance VK - Lithuania 2022

Supervision of projects is a formality: the achievement of substantive goals is not always evaluated. There is a thorough inspection of whether the expenditure for which the aid is paid out is actually the expenditure indicated in the project, but the achievement of the project’s goals is almost not evaluated at all. This is the result of vague evaluation criteria , which usually don’t even expect the projects to have a specifically measurable impact. The attention paid to the sustainability of the created information systems is also insufficient, i.e. there is no evaluation of the administration and maintenance costs of the information system or the extent to which further development is required.
Use of European Union funds in promoting information society RKTR - Estonia 2012

The audit was not able to determine the exact costs of the Public Key Infrastructure because full cost accounting was not performed. This suggests that there may be some uncertainty or lack of transparency in the cost structure of the PKI.
Examination of development and operation of the public key infrastructure SFAO - Switzerland 2023

Officials from the critical manufacturing, energy, and transportation systems sectors identified several reasons for not tracking implementation of practices included in the NIST ransomware profile or other practices used to address ransomware. For example, six of the eight (…) stated that they were not familiar with the ransomware profile or did not identify it as one of the adopted sets of practices within the sector.
CRITICAL INFRASTRUCTURE PROTECTION: Agencies Need to Enhance Oversight of Ransomware Practices and Assess Federal Support GAO - USA 2024

Those involved in governance need to think through what internal and external assurance they need, the skills and experience they need within that assurance, when they will need it, and how the various types of assurance fit together in an integrated assurance plan. If this is not done, there is a risk that, instead of there being informed assurance at key points, assurance becomes ongoing non-expert commentary which could cause delay and confuse accountability.
Lessons learned: Governance and decision‑making on mega‑projects NAO - UK 2025