Customs reviews integrity of HR system

The Australian Customs and Border Protection Service will undertake a "substantive" salary and employee entitlement review to prove the integrity of data in its year-old COMPASS human resources system.

The system was implemented in June 2011 "with a large number of defects", according to a federal audit.

About 182 defects still require resolution, including some that impact "the reliability and integrity of employee benefits and employee provisions" recorded in the system, which total $673 million.

In addition to the known defects, undisclosed weaknesses were found in IT security "design and effectiveness" for the system.

"These weaknesses and the impact of unresolved implementation defects increase the risk of a material misstatement of employee benefits and employee provisions as at 30 June 2012," the auditor found.

"The weaknesses identified have also resulted in the [Audit Office] placing limited reliance on the system controls supporting the processing and management of salaries and employee entitlements."

The auditor sought "remediation work" to ensure that end-of-year financial statements are accurate.

"Customs and Border Protection has advised that in conjunction with the review of system defects, it is undertaking a calculation of employee transactional information and leave provisions as a matter of priority," the auditor noted.

The COMPASS project will also force Customs to review its IT governance practices "as a matter of priority".

The audit notes that "management and general IT governance arrangements" for elements of the COMPASS system "were not operating effectively".

"For example, existing change processes did not adequately prioritise and comprehensively test changes, or communicate the impact of changes to appropriate stakeholders," the audit found.

"This breakdown in the IT governance arrangements contributed to weaknesses relating to the implementation and configuration issues."

IT controls

Customs' COMPASS woes are detailed in a broader interim assessment of controls that "could result in the material misstatement of agencies' financial statements".

From an IT standpoint, such controls include general IT security, change, incident and problem management, as well as application controls around key finance and human resources systems.

In the current audit, the key controls of 25 major agencies are examined. Combined, the agencies represent 95 percent of general Government sector revenues and expenses.

The audit found "no significant" year-on-year change in the operation of general IT and application controls for the agencies' information systems.

From one perspective this is positive. It means that "change management governance and system release management" improvements recorded in 2010-11 were maintained.

However, "the management of user access, particularly the logging and monitoring of user activities for privileged users, and business continuity arrangements for Human Resources Management Information Systems (HRMIS) continued to be areas requiring improvement in some agencies," the audit noted.

Some 146 IT risks were identified in the audit, with the majority posing a low business or financial management risk compared with 158 findings identified in 2010–11.

Defence's mixed bag

Project governance of Defence’s Military Integrated Logistics Information System (MILIS) improved year-on-year, as did the management of General Stores Inventory (GSI) and Repairable Items (RI) quantities.

The improvements saw the two issues - formerly rated "significant" by the auditor - downgraded to "moderate" status.

The audit commended Defence on substantial improvements achieved in its financial reporting systems and processes.

It noted that a moderate audit issue relating to payroll reconciliations between two human resource management systems operated by Defence has also been resolved.

One moderate audit finding relating to identified weaknesses in MILIS change management practices remained outstanding.

The ANAO considered a review of the design of the change management process should be undertaken, relevant policies and procedures updated and a system of regular compliance monitoring established.

Defence has undertaken a review of the change management and configuration management controls and processes, and has updated procedural documentation.

Veterans Affairs' QUASARS system

The audit noted shortcomings in the Department of Veterans Affairs' QUASARS application, which is used for quality assurance.

It also identified a large number of users with high levels of access, without logging and monitoring of actions performed by users within the system.

The audit identified reconciliations between the general ledger and subsidiary systems for payroll, accounts receivable, and accounts payable, that weren't always completed and reviewed in a timely manner, with variances remaining unresolved for significant periods of time.

The auditor raised similar concerns in 2009–10 and 2010–11 in relation to payroll reconciliations. 

Subject to resolving its quality assurance framework, management of segregation of duties and reporting of future claims for military compensation, the Audit Office considered the department's financial statements would be substantially correct.

SAP dominates system share

The interim audit report is also useful in tracking the most popular financial and personnel systems in favour by the major agencies.

SAP dominates the finance space accounting for 18 out of 25 of the agencies in 2011-12. Technology One and QSP share the remainder.

SAP also runs personnel systems for 11 agencies. Aurion also has 11, and PeopleSoft has three. However, SAP is the only one to grow its share in 2011-12.