Vital Victorian government services could face massive disruptions in the wake of a cyber attack or computer shutdown because IT recovery systems are not good enough, a damning auditor-general's report says.

The report found: 41 per cent of computer systems across audited government agencies were obsolete

41 per cent of computer systems across audited government agencies were obsolete System weaknesses could extend any outage of public services or leave systems vulnerable to attacks

System weaknesses could extend any outage of public services or leave systems vulnerable to attacks Agencies did not have sufficient processes to identify and recover their systems following a disruption

Victoria's auditor-general Andrew Greaves warned in the report that while the likelihood of a significant disruption was low, the consequences could be "catastrophic".

"At present, none of the agencies we audited have sufficient assurance that they can recover and restore all of their critical systems to meet business requirements in the event of a disruption," the report said.

Mr Greaves examined IT disaster recovery plans for Victoria Police and the departments of Justice and Regulation, Health and Human Services, Environment, Land and Planning and Economic Development, Jobs, Transport and Resources.

The report found 79 per cent of computer systems supporting critical business functions at Victoria Police — or 19 out of 24 — were obsolete, and only three of them have disaster recovery plans.

Across all audited government agencies, 41 per cent of the computer systems were obsolete.

"Systems that operate on obsolete hardware or software present a significant disaster recovery risk, because of the limited availability of hardware spare parts, vendor technical support, and staff knowledge and skill," it stated.

"At worst, agencies risk catastrophic equipment failure, extended outage of public services, and exploitation of vulnerable systems by computer virus attacks.

"These circumstances place critical business functions and the continued delivery of public services at an unacceptably high risk should a disruption occur."

The report also found the agencies did not have sufficient and necessary processes to identify, plan and recover their systems following a disruption.

"Without having disaster recovery plans and testing them regularly, agencies risk not being able to recover systems in a timely way because of a lack of guidance for staff on what is required to bring systems back online," it stated.

"As a result, critical government services — such as criminal justice and policing operations — may be unavailable for longer than is necessary, depending on the scale of the disruption."

The report recommended the four departments and Victoria Police form a "disaster recovery working group" to provide technical support and advice, and share lessons learned.

A Victoria Police spokeswoman said the force accepted all the recommendations made in the report and that it was working to improve its systems.

"Victoria Police is currently engaged in an extensive IT transformation program which will significantly enhance our IT capabilities," she said.

"This includes the rollout of mobile technology to police members in the field and the introduction of a significantly improved intelligence management."