SINGAPORE - The new Auditor-General has found weaknesses in IT controls as well as irregularities in procurement and the management of contracts in several government ministries and agencies.
These were among the key financial lapses found in ministries such as National Development and its statutory board Urban Redevelopment Authority; Defence; Manpower; as well as Culture, Community and Youth. They were flagged in the latest annual report of the Auditor-General's Office (AGO) released on Tuesday (July 16).
Here are the key findings:
Lapses in contracts and processes
Work on parts of arts museum National Gallery Singapore had begun or was done. Only then was approval sought to vary the contracts involved. The delay ranged from 30 days to almost four years.
In all, the AGO found lapses in approvals for 142 contract variations amounting to $12.4 million. In 17 of the cases, no approval was sought, even though the cost had risen from $1.27 million to $2.67 million.
In one case, approvals for seven contract variations, each exceeding $100,000, were obtained from the incorrect approving authority.
A contractor was also overpaid by $150,300 because costs for work not done were not deducted.
The AGO report, in a sharp criticism, said "the role of the approving authority for contract variations must not be regarded as perfunctory".
While the Ministry of Culture, Community and Youth (MCCY) had appointed National Gallery Singapore to manage the project, the AGO reminded MCCY it remained accountable and responsible for ensuring financial prudence.
Failure to deduct costs for work not done could result in MCCY not obtaining full value for the public funds spent, it said.
The AGO also found irregularities in procurement and the managing of contracts at the Islamic Religious Council of Singapore (Muis) and the National Council of Social Service (NCSS).
With Muis, the evaluation sub-criteria and scoring method used to determine who gets the contract were decided only after the tender closed. This applied to 12 tenders and quotations totalling $5.54 million. There were also errors in the scores awarded.
For four tenders and quotations totalling $1.38 million, Muis did not evaluate the proposals according to its published evaluation criteria. The AGO said it could subject the evaluation process to manipulation.
The NCSS was rapped for significant lapses in three tenders valued at $5.06 million between 2016 and last year. One $3.29 million renovation and relocation project involved accepting documents from three vendors, after the tender had closed. The contract was awarded to one of them.
Response from ministries and agencies
In response, National Gallery Singapore said it was reviewing its procurement policies and processes, and this was to be completed by the end of this month. It had also taken steps to recover the overpaid sums from the contractors.
It said contract variations are in line with the scale and complexity of such projects. "Changes to the scope of work are to be expected... to take into account a variety of factors like statutory requirements, site constraints and user or operational requirements. There was no circumvention of procedures under (our) project governance framework, deliberate or otherwise. The project was also managed in accordance with industry best practices."
It added that its project development committee had members from the construction industry.
MCCY said it was satisfied there was no fraud involved and is studying how to improve the management of its future development projects. It is also working with National Gallery Singapore to enhance its financial processes.
Muis said the lapses were due to human error and weaknesses in the process. Training in governance and finance for its officers is being strengthened. It also conducts regular internal audits and has deployed more resources for procurement and IT-related functions.
NCSS agreed with the AGO's recommendations for procedures to ensure tender proposals are evaluated properly.
For seven months, five Ministry of Manpower (MOM) servers failed to send activity logs to the IT security monitoring system due to outdated configurations.
The ministry was none the wiser until the Auditor-General's Office (AGO) pointed out this lapse during its audit in January.
The AGO also found that MOM had not been reviewing changes made to the monitoring system, among other lapses.
Meanwhile, the Ministry of Defence (Mindef) gave several IT vendors unrestricted access to 73 types of human resource data, including salaries.
Of these, 23 information types were never accessed, and four IT vendor staff never used the information at all since the date they were granted access, in one case for more than two years.
"Mindef should have granted read-access to the IT vendor staff based strictly on their job scope and duties," the AGO said.
It also noted that Mindef had not reviewed log records since 2014, which meant any access to the information by IT vendor staff for unauthorised purposes would not have been detected and promptly followed up on.
The AGO also found that Customs had let seven administrators, who were IT vendor staff, use the most privileged user account without password authentication.
The activity logs also did not capture sufficient details of the activities performed using this privileged user account.
Such weaknesses exposed Customs to the risk of unauthorised access and failing to detect any unauthorised activity, the AGO said.
Response from ministries and agencies
MOM said it updated the configurations of its five servers to send activity logs to its system.
It also put in place a process to manage changes made to the IT security monitoring system in March this year. The ministry added that, among other things, it upgraded its system to a version with better logging capabilities in March.
It said it had also started reviewing all security alerts on database administrators' activities, generated by its system, since January.
Mindef told the AGO that it had hired an IT vendor to help manage its complex human resource system and gave the vendor read-access to all information types so it could handle the full range of possible scenarios.
To minimise risk, it put in place strict controls, such as designated rooms that were monitored by CCTV cameras for staff to work in.
It has since removed access to unneeded information types and started a review of access rights for IT vendor staff based on each individual's job scope, among other things. The review was targeted to be completed by June this year.
Mindef said it also started regular reviews of log records.
Customs said it had, since April, enforced password authentication to use the most privileged user account. It also activated a feature to log the activities of database administrators from April, and is working with its IT vendor to automate the review of the logs by the third quarter of this year.
It also reduced the number of administrators required to manage its servers from seven to three.
The agency added that it would further tighten the use of all privileged user accounts.
It would also enhance the system to capture more information of the activities performed using the most privileged user account by the end of the year.
Inadequate oversight on grants
There were a significant number of instances in which funding approval for social grant programmes was obtained only after the funding period began.
That was one of multiple lapses by the Health Ministry (MOH) and the Ministry for Social and Family Development (MSF) in managing these grant programmes, the Auditor-General's Office (AGO) found.
Other lapses included inadequate oversight and checks on the grants.
For example, in making 38 disbursements totalling $9.93 million to 24 voluntary welfare organisations (VWOs), MOH "relied completely" on an administrator it had appointed to assess if the groups satisfied all funding requirements. But the organisations should have qualified for only half the funding amount they were given as they had met only some of the requirements.
MOH had not required the administrator to submit reports or documents supporting the assessments, and neither the ministry nor the administrator was able to produce some of the documentation requested by the AGO during its audit. "Without the full supporting documents, there was inadequate assurance that the disbursements made to the VWOs were correct," the report said.
Similarly, the AGO found that MSF did not perform the necessary checks to ensure that funding conditions were met before making 15 disbursements totalling $1.15 million.
Checks by the AGO also found that a restructured hospital failed to properly compute the right amount of Medifund assistance for patients who chose to stay in Class B2 wards according to MOH guidelines.
As a result, the hospital granted higher Medifund assistance than was provided for, amounting to $119,100 for 24 bills for 22 patients between April 1, 2017, and March 31 last year.
The hospital told the AGO that it had been using the same method to calculate Medifund assistance since 2009. Following the audit, MOH estimated that there could be as many as 4,500 Class B2 ward bills at the hospital for which Medifund assistance was provided from 2013 to last year.
"The different approaches in computing Medifund assistance across public healthcare institutions would result in inconsistent treatment of Medifund recipients," the AGO said in its report.
Response from ministries
In a joint statement, the two ministries said they are taking immediate actions to address the concerns raised by the AGO, including working with relevant VWOs to rectify over-disbursements and under-disbursements.
The Ministry of Finance (MOF) said in a statement that a review of the grant management process led by MOF and the Accountant-General's Department last year has since been completed, and that the public service is taking steps to improve grant governance.
From April 1, 2016, to March 31 last year, a total of $1.59 billion was disbursed by the two ministries to VWOs or their branches funded under 1,058 grant programmes.
Of this number, the AGO test-checked 429, comprising 177 under MOH and 252 under MSF, and covering a disbursement value of $488.52 million.
On Medifund, MOH told the AGO that it would not recover the additional assistance granted to the recipients as its guidelines were "for reference and not strict adherence", and that the institutions had assessed the patients to be in significant financial difficulties. MOH also said it would ensure greater clarity and more consistent understanding of its guidelines moving forward.