Auditor-General flags lapses in IT controls, procurement and contract management in public agencies

Public accountability remains a top priority for the Government, said the Finance Ministry.
Public accountability remains a top priority for the Government, said the Finance Ministry.ST PHOTO: LIN ZHAOWEI

SINGAPORE - Weaknesses in IT controls continue to be a point of concern for a number of government agencies, and audits have turned up lapses in procurement, contract and operations management at entities such as the JTC Corp.

In its annual audit report released on Monday (Sept 7), the Auditor-General's Office (AGO) flagged issues in three ministries and eight statutory boards.

These include information technology weaknesses at national water agency PUB, as well as gaps in the management of business grant programmes under Workforce Singapore (WSG) and Enterprise Singapore (ESG).

Public accountability remains a top priority for the Government, said the Finance Ministry in its response to the report.

"Heads of the agencies concerned have reviewed each case and are taking active steps to address the lapses. Where relevant, remedial actions have been taken at a whole-of-government level to prevent recurrence of these lapses."

Government agencies have verified that no confidential data was compromised and no unauthorised activities resulted from the IT lapses, and that they have undertaken recovery actions for lapses involving overpayments, the ministry added.

This year's report was delayed because of Covid-19 measures, including the implementation of the circuit breaker period, said Auditor-General Goh Soon Poh. These affected the timeline for the preparation of the government financial statements and consequently, the completion of the audit by AGO. The report is typically issued in July.

Weaknesses in IT controls

Several IT issues involved the most privileged operating system user accounts, said Ms Goh.

These accounts give users full access privileges to the operating system, including the ability to make changes to activity logs. For this reason, it is considered prudent to restrict access to such accounts and review all activities carried out with them.

But in some organisations, misconfigurations led to operating system administrators being able to access these accounts without password authentication. Others did not carry out adequate activity reviews.

In the case of PUB, which was involved in a public-private partnership project, it did not ensure that its private-sector partner had implemented adequate controls. For example, excessive rights were granted to the partner's vendor. An administrator account was also shared among staff from the partner and its vendor.

Procurement and contract management lapses

Lapses in procurement and contract management were found at the Government Technology Agency, JTC, National Library Board (NLB) and PUB.

NLB was found to have poorly managed contract variations and overall project management for its revamp of the National Archives of Singapore building. In-principle approvals were sought for variations without compelling reasons, and approved even though no ballpark cost estimates were provided.

In the end, the project exceeded its approved cost by $1.72 million, the AG noted.

 

Meanwhile, JTC paid a terminated contractor, even though it could have withheld the payment under the contract and used this to offset the debt claimable from the contractor. JTC subsequently filed a claim against the contractor for this debt, but as of June had not yet received any monies owed.

Operations management lapses

Lapses in operational processes were found at the Ministry of Foreign Affairs (MFA), JTC and PUB.

In MFA's case, the AGO detected issues when auditing an overseas mission. Measures to enforce terms stipulated in service agreements signed with the mission's authorised visa agents were inadequate, it said. Three of the 16 appointed visa agents were found to have stated visa fees that were between 16 per cent and 50 per cent higher than what was stipulated in the service agreements.

The AGO also found that JTC's leased and tenanted premises may have been sublet to about 26,000 entities without approval. It also noted illegal storage or sale of diesel to the public at four leased industrial premises, which could pose environmental and safety risks. Following this, JTC investigated around 2,800 entities, finding about 2,010 suspected cases of unauthorised subletting.

At PUB, the agency's private-sector partner in a project was able to modify real-time parameters in an IT system, which would affect the amounts to be paid by PUB.

 
 
 

Gaps in management of business grant programmes

In its audit of six business grant programmes managed by WSG and ESG, the AGO flagged several issues with grant evaluation and approval, as well as with disbursement and cessation.

For instance, it noted three cases where individuals or companies may have circumvented WSG grant requirements and controls. It also found instances of double claims by companies, and cases of double funding across different grants. In addition, there were instances where WSG did not follow up to recover unutilised grant money in a timely manner.

In the case of ESG, the funds disbursed for certain grants were not in line with grant guidelines, resulting in either an excess or a shortfall. Its officers also had inconsistent practices when assessing companies' eligibility.