The Queensland government is losing millions of dollars and putting itself at risk of cyber attack because it's "unwilling to learn" from mistakes and failing to be upfront about their own performance, a report says.

Queensland Auditor-General, Brendan Worrall, says almost a third of 454 recommendations he has made to improve government performance in 2018-2020 are yet to be fully implemented.

He says the failure to make changes is impacting oversight, use of IT and data, and sometimes cost millions through poor contract and project management.

"My experience has been that entities are either unwilling to learn from the past or each other, or lack the systems or corporate knowledge to understand the reasons for past failings," Mr Worrall wrote in the report, publish on Monday.

"In some instances, the fear of repeating past failures is resulting in entities missing opportunities to implement new systems and technologies.

"There is also a lack of information and data sharing within and between entities that would enable them to learn from the mistakes of others and prevent them from re-occurring."

He said "too often" government departments had audit committees made of their own staff or still lacked them.

There's also been reluctance to report on performance in a timely and transparent way, the report said, which was vital to maintain public trust.

"In many cases, their performance targets and reporting practices focus on outputs, rather than outcomes," Mr Worral wrote.

"As such, they do not shine light on the effectiveness of their performance.

"Too often, entities only report success stories and fail to report areas of underperformance."

State and local government departments were also failing to keep abreast of development in information technology, and rely on legacy systems, which are not fit for purpose.

The report said that not only created a performance barrier but made government departments "particularly susceptible" to cyber attacks.

"Public sector entities, small and large, must recognise this is a genuine risk to them and act to mitigate the risk. Their profile makes them a target," Mr Worrall wrote.

Mr Worrall said the State Penalties Enforcement Registry spent more than $52 million on an ICT system that was never used.

Meanwhile, Energy Queensland's ICT project is about $181 million over budget and expected to be delivered a year late.

Departments can learn from past failings by planning better, ensuring they are capable, and strengthening their risk management practices.

"The Queensland government intends to spend $52.2 billion on infrastructure projects over the next four years. It is currently spending $1.5 billion on ICT projects," the report said.

"It is therefore critical that entities examine past mistakes and use these learnings as the building blocks for future contracts.