An audit into the IT systems that support financial reporting inside 45 Victorian Government entities has found 134 high-risk findings, rising from 69 in 2013-14.
The Financial Systems Controls Report: Information Technology 2014-15, which builds on last year’s inaugural Information and Communications Technology Controls Report 2013-14, assessed the maturity of 65 IT applications and associated infrastructure. The audit also placed considerable focus on identity and access management (IDAM) and software licensing.
The Victorian Auditor-General’s Office (VAGO) found that IT control deficiencies and systems at or approaching end-of-life continue to be present across the public service despite previously recommending improved governance and oversight measures.
41 per cent of the findings from the previous year’s ICT Controls Report 2013-14 – which also identified continued agency use of end-of-life applications as a key contributor to poor ICT security controls – were found to have still not been addressed. Another VAGO audit report earlier this year revealed that 65 weaknesses at nine departments remained unresolved a year after they were first highlighted.
“Similar to last year, management at these entities continue to be slow to act on our findings, especially our high-risk findings”, Acting Auditor-General Peter Frost said.
“This demonstrates the need for more focused attention and oversight of IT issues by accountable officers and governance bodies, including audit committees.”
IT applications considered in-scope included bespoke software, Enterprise Resource Planning (ERP), and commercial-of-the-shelf packages.
134 audit findings were considered high-risk, while one entity possessed an extreme-risk finding relating to authentication and password controls. The majority of the findings were identified as presenting medium concern.
91 per cent of the high-risk findings relate to:
- “Managing access to IT applications and data;
- authenticating users to IT systems, such as password controls;
- assurance obtained by entities over IT general controls performed by external organisations; and
- entities using IT systems, which are no longer, or soon not to be, supported by vendors.”
Management controls at outsourced IT environments
VAGO found that despite “a noticeable upward trend in the number of service assurance reports being obtained by public sector entities”, greater monitoring was still needed. The report notes that there appeared to be a perception within entities that risks associated with the control environment are transferred when an outsourcing arrangement is entered into.
“Worryingly, there remain pockets of limited awareness and acceptance, including high-risk entities, of the risks and responsibilities associated with outsourced arrangements”, states the report.
While changes in 2014-15 led to the provision of policy guidance at a whole-of-government level, no specific guidance for managing outsourced IT arrangements currently exists.
Continued use of End-of-life systems
Limited progress was made by entities in 2014-15 to upgrade end-of-life systems with 53 per cent of systems under the scope of the audit found to be approaching or past end-of-life. This is partially due to halting the WofG ERP project following the change of government in November 2014.
Several entities have attempted to remedy this in the short term by arranging customised vendor support for outdated software, however this comes at significant cost to the entity. The audit also found that suppliers may also not address new security weaknesses that come about through the continued use of the applications.
IT security controls
IT security weaknesses across user access management, authentication controls, audit logging and monitoring of IT environment, patch management, IT change management, backup management, business continuity and IT disaster recovery planning continue to occur across entities, accounting for 68 per cent of the 2014-15 audit findings.
User access management was highlighted as the most prevalent control weakness – accounting for 30 per cent of all findings, and was identified as stemming from poor understanding, inadequate periodic reviews and human oversight.
VAGO intend to release a better practice guide in the coming months to improve future IT control environments.