Public organisations have demonstrated transparency in their communications with the Auditor-General, she said, after operations were disrupted owing to a massive cyberattack.

Heather Thomas said she would support government-audited units during the crisis and added that the quality of audits will not be compromised.

Her comments came after a cyberattack last week that resulted in the shutdown of government IT systems, which continued to be affected yesterday.

Ms Thomas said the Office of the Auditor-General had “many inquiries” from the public and media on the incident.

She added it was “pressing” that the Government made sure and provided assurances that information about its business, that of its partners, and residents’ personal data was secured.

Ms Thomas said: “As the office responsible for supporting Parliament by scrutinising and providing objective, fact-based information through audits, to hold the Government to account and to promote improvements in public services financial administration, my intention is to continue to work closely with the Government-audited bodies to support them during this disruption, while preserving my objectivity and independence as Auditor-General.

“The government bodies have been transparent in their communication to the office on business disruptions.

“In addition, it is already clear that it’s going to be difficult to carry out the audit of the government accounts and other government work in the current circumstances.

“We will not compromise the quality of public entities’ financial reports or our audits of the information they contain.”

She cited a report from her office, published in 2021, Government of Bermuda’s Response to Covid-19: The Unemployment Benefit Administration, which said: “In times of crisis, the agility and robustness of public finance management systems are truly tested and experience has shown that these types of circumstances can create opportunities for various types of violations that could seriously weaken the effectiveness of government actions.”

Ms Thomas said yesterday: “The Government Department of Internal Audit can provide advice to decision-makers that will protect the Government of Bermuda assets and reputation by providing guidance on their internal control framework to support operational sustainability during this crisis.

“Also, it is important to note the duty of accountability and to document and safeguard records does not cease; it becomes even more essential that the Government documents its decisions and captures critical information as new ways of working are adopted rapidly without the usual processes and infrastructure.

“It is also essential that the basis of those decisions, the decisions themselves and the senior decision-makers involved be safeguarded and thoroughly documented in order for governments to remain accountable both during and after this crisis.

“We will continue to engage the Government on its response measures, and the impact this has on day-to day operations.”

Gitanjali Gutierrez, the Information Commissioner, said earlier that permanent secretaries, heads of departments and other public officers “transitioned to using mobile phones and personal e-mail accounts to continue government services” in response to the cyberattack.

She added on Monday: “Regardless of the device or platform used, these electronic communications are public records that reflect government decision-making and business.

“The same is true for paper-based communications and business processes being used at this time, as some government processes have reverted to paper-based transactions while their digital system is unavailable.

“Public officers must be mindful that these records are subject to search, retrieval and potentially disclosure in response to public access to information requests.”

Ms Gutierrez highlighted that “once this incident has passed, the public may seek full transparency and accountability of any decisions” made amid the crisis.

She explained that steps to make sure public records were properly preserved could involve the inclusion of government-issued mobile phones — that retain communications — when messages were conveyed by WhatsApp or SMS.

Ms Gutierrez added: “The right to access public records under the Pati Act and public authorities’ obligations to comply with the Pati Act have not been suspended.

“As a practical matter, however, many public authorities continue to be affected by the cybersecurity incident and their ability and capacity to comply with the timelines under the Pati Act impacted.”

• The Office of the Auditor-General was open and operational. It can be contacted by phone on 296-3148 or by e-mail at oag@oagbermuda.bm. The Information Commissioner’s Office was also fully operational, and can be contacted by phone on 543-3700 or by e-mail at info@ico.bm