The Second Report of the Public Accounts Committee of Singapore was presented to Parliament yesterday. The Committee considered the Report of the Auditor-General for the financial year 2016/17. One of the common themes in the report was certain weaknesses in IT controls across public sector agencies. The Committee sought written explanations from three ministries: Ministry of Home Affairs (MHA), Ministry of Manpower (MOM) and the Ministry of Social and Family Development (MSF). All three have responded. They have taken multiple steps to close the gaps and strengthen IT governance.
The Committee noted that the recently formed Smart Nation and Digital Government Group (SNDGG) is taking actions at the Whole-of-Government (WOG) level to strengthen IT governance within the public sector. The Committee also reiterated that to eliminate recurring lapses and strengthen governance, every public sector agency has to play its part and be committed to implementing effective controls.
Actions taken by MHA
The Committee noted from the audit observations on the Singapore Corporation of Rehabilitative Enterprises (SCORE) that there were inadequate controls to detect unauthorised changes made to payroll records. SCORE indicated that it would verify all salary payments made from April 2014 to January 2017 to ensure that no unauthorised changes were made to staff salaries.
MHA informed the Committee that the verification exercise was completed and no anomalies were detected. MHA has also taken a number of remedial actions to address the weaknesses in the payroll processing. SCORE had started monthly reviews of user access rights and the activities of privileged users since June 2017.
In July 2017, enhancements were made to tighten the payroll process to prevent and detect tampering of payroll records.
MHA Computer Assisted Auditing Tool is being used since July 2017 to flag out anomalies and suspicious transactions before each payroll run.
MHA has seconded an experienced Human Resource (HR) officer to oversee SCORE’s HR department in October 2017.
Finally, SCORE will be migrating to the Public Service HR and payroll systems which adhered to best practices in controls, by first quarter of 2018.
Actions taken by Ministry of Manpower (MOM)
The audit report noted that at the Central Provident Fund Board (CPFB), that there might be a lack of management and oversight of the areas of change management, security monitoring and access control for IT systems.
MOM informed the Committee that CPFB has in place a sound system to oversee change management, monitor its IT systems and usage, and manage system access rights to ensure that CPFB’s systems and databases are protected against IT security threats and unauthorised access at all times. The lapses identified in the management of CPFB’s two IT security monitoring systems and controls for system access for temporary staff were the exceptions rather than the norm.
On the management of the two IT security monitoring systems, MOM has followed up and closed the gaps.
One of the steps taken is the implementation of a change management process since January 2017 to ensure that all changes made are formally authorised and tracked. It had also completed a further round of checks of all other IT systems and confirmed that there is a documented change management process specific to each system.
In addition, CPFB has since placed all its critical systems (including the non-public facing ones) under monitoring in June 2017. CPFB has also completed the review of the monitoring rules of the IT security monitoring systems in March 2017, to ensure that the systems remain effective. A periodic review process had also been implemented in May 2017.
Disciplinary action has been taken against the staff who failed to properly configure the IT security monitoring system to provide complete alert reports on IT security violations.
Moreover, CPFB has implemented an Identity Governance and Administration (IGA) system to strengthen the access controls of CPFB’s systems. This IGA system provides full visibility of who has access to which IT systems, automates life-cycle management of accounts and account dormancy checks, and facilitates periodic review of accounts and accesses. All CPFB’s core systems have been placed under the IGA system in October 2017 while the rest of the systems will be placed under the IGA system by December 2018.
Another observation by the Committee was that the system access of some temporary staff accounts was not removed promptly after the temporary staff left CPFB.
MOM explained that the lapses occurred due to an oversight of a supervising officer and CPFB had taken disciplinary action against the officer for not complying with the established procedures. CPFB had since improved the process, including having a checklist of actions to be completed when a temporary staff leaves. This checklist would be reviewed at three levels to ensure that necessary actions have been taken.
Actions taken by MSF
The Committee noted that there were instances of inappropriate access and breaches on rule on access control by MSF’s IT vendor staff to the IT systems that support the Baby Bonus and Child Care/Infant Care subsidy schemes. MSF has conducted and completed investigation of all 595 previous instances of inappropriate access.
The investigation by MSF revealed that all instances of access were for valid business purposes. The lapse lies in the use of different accounts by IT vendor staff and failure to duly adopt segregation of roles in hope of completing the assigned tasks quickly. Upon conclusion of the investigation, MSF had issued a stern warning letter to the management of the IT vendor to comply strictly with the existing Standard Operating Procedures (SOPs).
To prevent recurrence of similar incidents and strengthen oversight of its IT vendors, MSF had taken the following actions which include: (1) a one-time review of all system and database administrator accounts and the access logs for the past 12 months; (2) reviewed and directed the IT vendors to strengthen their procedures for the administration of IT systems and management of accounts, (3) instituted independent monthly review of accounts and access logs by MSF’s IT staff using data analytics, (4) required IT vendors to carry out review of privileged accounts and activities, and to report their findings to MSF’s IT project team on a monthly basis with key results to be reported to MSF’s IT management team on a quarterly basis, and (5) tightened the processes of IT vendors to ensure that appropriate processes and resources are available for vendors to complete their tasks without compromising segregation of roles.
These actions taken by MSF illustrate the Ministry remains accountable and is stepping up in its oversight to ensure proper compliance with SOPs. Strengthened procedures will ensure appropriate level of access and clearer segregation of roles.
WOG approach in strengthening IT Governance within the Public Sector
Addressing the concerns over the weaknesses in IT controls found across several public sector entities, MOF informed the Committee that Singapore is taking a WOG approach in strengthening IT governance within the public sector with the recently formed SNDGG under the Prime Minister’s Office.
The SNDGG is designated to be the central body that oversees policies on IT management in the Government to safeguard the integrity of IT systems and the data within. SNDGG has been continually refining IT management policies to ensure proper controls. It also conducts independent audits to help agencies identify and rectify any gaps in compliance with the policies, which is then shared to various WOG and multi-agency platforms every year. For example, SNDGG has shared key learning points from AGO’s findings on weakness in IT controls at senior management forums.
The Government Technology Agency (GovTech) has also completed an assessment of the feasibility and cost-worthiness of solutions to automatically update account and access rights in IT systems when officers’ records are added or removed in HR systems.
Given the cost and complexity of implementing the solutions, GovTech would prioritise the agencies to work with to adopt the automated solutions over the next few years, beginning with those with the largest impact.
Featured image: TteckK.