A recent audit has indentified ongoing problems in the IT control environment in a number of Federal agencies. The ANAO report found significant shortcomings in the security and management controls in both FMIS and HRMS systems, and in the management of releases to the production environment in a number of agencies.
The report is titled Interim Phase of the Audit of Financial Statements of General Government Sector Agencies for the Year ending 30 June 2008.
A key aspect of the report is an audit of key elements of IT control environments that underpin financial transaction processing within major agencies, including IT security, systems delivery and application controls in financial management information systems and HR management information systems.
Discussing the impact of increased use of IT, the report says “While technology and related improvements continue to present agencies with major business opportunities, they also involve new or enhance risks that need to be effectively managed.
The ANAO found that all agencies had governance arrangements in place to oversee and manage their information and IT change processes. However, the report observes “…our audits continue to identify a range of IT control weaknesses in some agencies in relation to security and management controls in both FMIS and HRMIS systems, the management of release and management processes, and the updating and testing of Business Continuity and Disaster Recovery Plans.”
Amongst the findings:
IT Security Controls – Need for a number of agencies to implement security practises that are consistent with defined security requirements. Almost a quarter of agencies did not have a complete or current System Security Plan for all IT systems. Almost 20% had inadequate user access systems.
Change Management – Almost all agencies had control weaknesses in the area of release management, and most agencies had not established consistent backout procedures.
Financial Reporting System Controls – There were several weaknesses in the management of FMIS systems across agencies. More than half the agencies had inadequate security arrangements.
HRM Information Systems - Failure to manage special and privileged users can undermine the integrity of these systems.
In view of the number of large IT projects that will be coming on line over the next two years, the ANAO states that it will assess IT governance and change and release management arrangements as part of providing assurance about the reliability of key financial and related business systems.