Auditor-General flags gaps in IT controls at several govt agencies

Audits also show lapses in procurement, contract and operations management

Public accountability remains a top priority for the Government, said the Finance Ministry. ST PHOTO: LIN ZHAOWEI

Deficiencies in IT controls continue to be a point of concern for a number of government agencies, and audits have turned up lapses in procurement, contract and operations management at entities such as the JTC Corporation.

In its annual audit report released yesterday, the Auditor-General's Office (AGO) flagged issues in three ministries and eight statutory boards.

These include IT weaknesses at national water agency PUB, as well as gaps in the management of business grant programmes under Workforce Singapore (WSG) and Enterprise Singapore (ESG).

Public accountability remains a top priority for the Government, the Finance Ministry said in its response to the report.

"Heads of the agencies concerned have reviewed each case and are taking active steps to address the lapses. Where relevant, remedial actions have been taken at a whole-of-government level to prevent recurrence of these lapses."

Government agencies have verified that no confidential data was compromised and no unauthorised activities resulted from the IT lapses, and that they have taken steps to address lapses involving overpayments, the ministry added.

This year's report was delayed due to Covid-19 measures, including the implementation of the circuit breaker period, said Auditor-General Goh Soon Poh. These affected the timeline for the preparation of the government financial statements and consequently, the completion of the audit by AGO. The report is typically issued in July.

Several IT issues involved the most privileged operating system user accounts, said Ms Goh.

These accounts give users full access privileges to the operating system, including the ability to make changes to activity logs. For this reason, it is considered prudent to restrict access to such accounts and review all activities carried out with them.

But in some organisations, mis-configurations led to operating system administrators being able to access these accounts without password authentication. Others did not carry out adequate activity reviews.

In the case of PUB, which was involved in a public-private partnership project, it did not ensure that its private sector partner had implemented adequate controls. For example, excessive rights were granted to the partner's vendor. An administrator account was also shared among staff from the partner and its vendor.

Lapses in procurement and contract management were found at the Government Technology Agency, JTC, National Library Board (NLB) and PUB.

NLB was found to have poorly managed contract variations and overall project management for its revamp of the National Archives of Singapore building. In-principle approvals were sought for variations without compelling reasons, and approved even though no ballpark cost estimates were provided.

In the end, the project exceeded its approved cost by $1.72 million, the Auditor-General noted.

Meanwhile, JTC paid a terminated contractor, even though it could have withheld the payment under the contract and used this to offset the debt claimable from the contractor. JTC subsequently filed a claim against the contractor for this debt, but as of June, had not yet received any monies owed.

Lapses in operational processes were found at the Ministry of Foreign Affairs (MFA), JTC and PUB.

In MFA's case, the AGO detected issues when auditing an overseas mission. Measures to enforce terms stipulated in service agreements signed with the mission's authorised visa agents were inadequate, it said. Three of the 16 appointed visa agents were found to have stated visa fees between 16 per cent and 50 per cent higher than what was stipulated in the service agreements.

The AGO found that JTC's leased and tenanted premises may have been sublet to about 26,000 entities without approval. It also noted illegal storage or sale of diesel to the public at four leased industrial premises, which could pose environmental and safety risks. Following this, JTC investigated around 2,800 entities, finding about 2,010 suspected cases of unauthorised subletting.

At PUB, the agency's private sector partner in a project was able to modify real-time parameters in an IT system, which would affect the amounts to be paid by PUB.

In its audit of six business grant programmes managed by WSG and ESG, the AGO flagged several issues with grant evaluation and approval, as well as with disbursement and cessation.

For instance, it noted three cases where individuals or companies may have circumvented WSG grant requirements and controls. It also found instances of double claims by companies, and cases of double funding across different grants. In addition, there were instances where WSG did not follow up to recover unutilised grant money in a timely manner.

In the case of ESG, the funds disbursed for certain grants were not in line with grant guidelines, resulting in either an excess or a shortfall. Its officers also had inconsistent practices when assessing companies' eligibility.

The Ministry of Finance said the Government will continue to strengthen procurement and contract management processes, and is tightening its whole-of-government IT auditing regime alongside the training of public officers on IT governance and security controls.

Join ST's Telegram channel here and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on September 08, 2020, with the headline Auditor-General flags gaps in IT controls at several govt agencies. Subscribe