Lapses in public sector's IT controls a concern

Besides weaknesses in information technology controls, the Public Accounts Committee also highlighted two other issues: lax financial controls and inadequate oversight of development projects.
Besides weaknesses in information technology controls, the Public Accounts Committee also highlighted two other issues: lax financial controls and inadequate oversight of development projects.PHOTO: BLOOMBERG

Mistakes occur because agencies are not complying with controls, says Public Accounts Committee

The weaknesses in IT controls detected in the public sector are significant, given the growing IT security threats today, said the Public Accounts Committee (PAC).

Many of the lapses cut across agencies and happened despite the Auditor-General pointing out similar problems in the past, added the Parliament watchdog on public funds.

It reminded public-sector agencies to adhere strictly to IT policies and controls, saying that the mistakes had occurred "not because of a lack of processes, but due to agencies not complying with the controls put in place".

The PAC - tasked to scrutinise how public funds are spent and track what government agencies have done to correct irregularities in the use of the funds - had studied the Auditor-General's findings for the 2016/2017 financial year.

Its latest report was submitted to Parliament on Monday.

Besides weaknesses in information technology controls, the committee also highlighted two other issues: lax financial controls and inadequate oversight of development projects.

  • Other instances of lapses

  • 1. The Ministry of Social and Family Development was found to have made 717 incorrect reimbursements to employers in 2014 and 2015 for government-paid paternity leave.

    After contacting the employers involved and working out the sums, the ministry had to make supplementary payments totalling $92,461 and also got refunds totalling $124.

    Not all employers involved have responded.

    MSF said it has updated it system to make sure the right formula is applied for such claims.

    2. The Singapore Sports Council, which comes under the Ministry of Culture, Community and Youth (MCCY), had taken one to 3.6 years to pay some of its vendors. MCCY said the 299 late payments had happened between 2014 and 2016, when the council was organising the 28th SEA Games and 8th Asean Para Games.

    A review of the council's transaction processes and systems will be completed in March, said MCCY, adding that no late charges were incurred.

    3. Inaccurate and incomplete information was provided for the approval of grants at the Economic Development Board.

    Grant recipients had said they had not met the project conditions, but this was not told to those approving the grants.

    The Ministry of Trade and Industry (MTI) said this happened because verbal discussions were not properly documented, but there was no fraudulent activity or malicious intent. MTI added that all the information gaps have been plugged.

Some problems cut across the public sector and were not new, indicating that there was a need to strengthen these areas, said the committee of eight MPs, chaired by East Coast GRC MP Jessica Tan.

It called on the agencies to drum into their staff the importance of complying with rules and processes, and to hold agency heads accountable when this is not done.

"The committee would like to reiterate that to stamp out recurring lapses and strengthen governance, every public sector agency has to play its part and be committed to implementing effective controls," said the report.

One case the PAC flagged had to do with 595 instances of inappropriate access of the IT systems used for subsidy schemes such as the Baby Bonus.

The committee found that user accounts used had high-level rights with unrestricted access.

The Ministry of Social and Family Development (MSF) said it had issued a stern warning to its IT vendor, which had used the different accounts to complete its tasks quickly.

To prevent a repeat of this, MSF has also introduced measures such as requiring monthly reviews of accounts and access logs by its own IT staff to detect inappropriate activity.

Another lapse flagged had to do with the failure to properly oversee some aspects of the Ng Teng Fong Hospital project.

The Ministry of Health (MOH) had engaged a contractor to provide supervisory duties at the site. At the same time, the ministry's agent, MOH Holdings, had hired its own supervisory staff without first seeking approval or checking if it was necessary.

This resulted in some duplicate expenses incurred. MOH said it will not reimburse its agent for this.

Site supervisory staff for public healthcare infrastructure projects are now also provided by the appointed project consultants, instead of through separate contracts.

The PAC noted that the Ministry of Finance (MOF) has put in place measures to deal with the lapses on a whole-of-government level, including setting up an inter-agency work group to look into common lapses.

The committee suggested that the MOF should also consider how the good practices of some agencies can be implemented in other places for improvements across the board.

A version of this article appeared in the print edition of The Straits Times on January 24, 2018, with the headline 'Lapses in public sector's IT controls a concern'. Print Edition | Subscribe