The ACT Government’s computer information systems are exposed to unnecessary risk, with agencies failing to act on warnings going back five years, according to a new audit report.
A review of controls over these systems during financial audits reveal weaknesses that pose a higher risk of errors and fraud, unauthorised disclosure of sensitive information; loss of
information and the inability to recover systems in the event of a major disruption or disaster.
The range of data at risk involves millions of dollars in rates, taxes, fees, levies, bus fares and leave entitlements.
ACT Auditor-General, Michael Harris said weaknesses in need of particular attention related to maintaining system security and performance; protecting systems from malicious attacks; and safeguarding data and applications on the network against unauthorised and fraudulent access.
Mr Harris also said agencies needed to address weaknesses in a more timely manner as some of them were first raised by the ACT Audit Office five or more years ago.
The audit found that there were too many inactive (former employees) and shared user accounts, and that the use of cloud-based computing services needed to be better managed to protect sensitive data.
Other areas that needed attention were the patching of applications to maintain system security and performance, and the whitelisting of applications – a security technique where only approved programs are allowed to operate, while all other programs are blocked – to protect systems from malicious programs such as viruses.
Twelve new weaknesses were identified in controls over major financial applications in 2017-18, with most (67 per cent) of these relating to new applications that were implemented by agencies, including the TRev, the system used to record taxes and fee revenue of about $972 million, and the APIAS application, the system used to record and approve supplies and services expenditure of about $1.237 million.
The audit also found that in order to strengthen the security of financial information, user access needed to be better managed and privileged users needed to be regularly monitored to promptly identify errors and fraud.
Overall, the audit assessment found that the key controls over computer information systems used for financial reporting were satisfactory but it made 19 recommendations to strengthen them.
Some ACT Government agencies had already taken action to address issues identified in the report but ‘continued vigilance is necessary to maintain the accuracy, completeness and reliability of financial information being reported in their financial statements’.