But this time there is something important and new. The report studies the success or otherwise of Gateway reviews, in which small teams appointed by the Office of Government Commerce assess whether risky projects are going well.
Staged Gateway reviews are supposed to catch impending IT disasters before they can harm public services.
The findings of the NAO reinforce our view that the self-regulation of government departments, when it comes to preventing disasters, is moderately more effective than a few years ago. But it is by no means working well.
The arrangements for self-regulation operate within the good-mannered conventions of a Victorian gentlemen's club. Departments can skip a Gateway review or two with impunity. Parliament will not know because the reviews are not published. And there is no systematic external scrutiny of the reviews to see if they have given the green light to an overly risky or flawed project.
The OGC picks the reviewers, and the departments it reviews are its customers. And it counsels departments in how to keep the review reports secret.
Effective sanctions on non-adherence to good practice are non-existent. If a department goes through a Gateway review's "red light" twice in a row on the same project, the OGC will send a letter to the department's head. Gosh.
In a small number of disasters, accountability comes in the form of the Public Accounts Committee. But the departmental heads have nothing to fear. From where they sit, the only point of a PAC hearing is that it gives them a chance to take their verbal skills, wit and mental dexterity into the gym for a workout.
After a string of IT disasters, the then US president Bill Clinton realised that he could not ask public officials to be more open and accountable to Congress than they wanted to be. So he introduced legislation to force them to be.
The UK government can continue to pussyfoot around tackling IT disasters. It can welcome more gentlemanly worded NAO reports which are read by a few, put on the shelf and life carries on as before.
Or it can set a precedent by taking decisive action to prevent IT disasters. It can legislate on accountability, and publish Gateway reviews. Only these measures will stop IT-related failures.