Audit heralds improved IT management in Government

But Defence procurement system and manual ATO processes raise concerns.

The Australian National Audit Office has given Federal Government agencies a tick of approval in terms of IT management, according to an interim audit.

Most large agencies could demonstrate effective incident and problem management processes, the report notes. 

In 2007–08, the ANAO reported over 30 percent (or seven agencies) of Canberra's agencies did not have effective security governance frameworks. But in 2010–11, all but one agency had effective controls in place. 

Most agencies are managing, logging, and properly monitoring privileged user activities which are critical to detect fraud or inappropriate use, the report said.

The audit found that governance of privileged user accounts within Financial Management Information Systems had been tightened, with fewer than 10 percent (two agencies) not effectively managing the risks arising from this level of access to financial information, compared with over 30 percent (eight agencies) in 2009–10.

The ability of agencies to ensure continuity of FMIS also improved during the past year. In 2009–10, over 30 percent (eight agencies) were not effectively implementing controls to manage business continuity risks. In 2010–11, this has reduced to around 12 percent (three agencies).

Agencies also strengthened the administration of privileged user accounts for Human Resource systems.  In 2009–10, almost 35 percent (nine agencies) needed to improve their controls in this area. In 2010–11, this dropped to 15 percent (four agencies).

However, the ANAO found the logging and monitoring of user activities by privileged users required more attention in some agencies.

“The ongoing effectiveness of user access controls is an important element in maintaining the integrity of agencies’ financial information. To address these weaknesses, agencies should have appropriate user access policies and procedures in place across the entire IT environment. Such policies and procedures should align with agencies’ information security policies,” its report states.

Defence concerns

But it wasn't all good news.

Defence's Military Integrated Logistic Information System (MILIS) was flagged as a system in need of improvement.

MILIS has more than 9,000 users in 160 locations, and is used to manage demands, purchasing, warehousing, distribution and maintenance of Defence’s military inventory.

The system tracked 650,000 types of equipment, worth over $9 billion, and currently supported operations in the Middle East, East Timor and the Solomon Islands.

The ANAO identified several weaknesses in the system, including missing functionality, insufficient testing, poor documentation and change management processes and a poor response to defects.

ANAO noted that Defence was undertaking “intensive remediation activities” to resolve these matters. Defence has already gone on record defending the MILIS in April.

Taxing systems

The accuracy of the manual processing of tax returns at the Australian Taxation Office also raised concerns in the Audit.

The ANAO performed extensive testing on manually-corrected returns to find continuing incidences of manual processing errors.

A number of these errors resulted in incorrect payments to taxpayers, which the ATO advised were being corrected. The ATO also advised that system and quality assurance processes are being developed and are scheduled for implementation in December 2011.