Western Australia’s Auditor-General, Colin Murphy, has issued a stern warning to the state government to lift its game in terms of IT management, after exposing a number of alarming oversights in his latest report to parliament.
Murphy unearthed failed projects with no business cases, a revolving door of CIOs, agencies with no idea where their data is stored and painfully inefficient manual processes slowing down agency resources.
He uncovered 455 issues with IT controls across the state and said less than half of all government bodies are meeting minimum information security benchmarks, a decline from the previous year.
“As I have highlighted in the past, agencies often have difficulty in successfully delivering ICT projects, and this report contains some very important lessons for all agencies," Murphy warned in a statement.
“Unless we get better at bringing in ICT projects on time and budget, the state will continue to spend millions more than necessary."
The ID management mess lurking in Fiona Stanley Hospital
The Auditor-General’s report this year resulted from a request to look into what went wrong with the Department of Health’s Identity Access Management project - which was thought up in 2007 and spent nearly three years going to tender, only to be cancelled late in 2013.
The system was meant to control physical smartcard access to the Fiona Stanley Hospital based automatically on user roles and to deliver remote access to core hospital systems.
But with no business case, no project ownership, a non-compliant tendering process, a governance structure that was never actually put in place and a revolving door of four CIOs during its lifespan, the Auditor has revealed that the $9.2 million initiative never stood much of a chance of success.
Between June 2008 and November 2011, the Auditor-General could not find a single record showing any project management activities took place. He said he had no way of confirming whether a planned pilot of the solution ever went ahead.
His recommendations to Health’s failure reflect some fundamental elements of project management 101.
He said top agency chiefs could not afford to leave IT entirely up to the CIO.
“Chief executive officers and other senior managers also need to fully appreciate the opportunities and threats that are inherent within their IT systems. It is not wise or acceptable to push these issues aside for the sole attention of the IT experts,” Murphy said.
Dude, where’s my data?
While several WA agencies have seized the initiative to adopt cloud computing solutions, the Auditor-General found gaping holes in the contracts they have signed with cloud providers.
Nearly all five agencies scrutinised failed to place limitations on where their data could be held – one of which was found to be inadvertently backing up to an offshore facility.
Murphy found agencies were essentially making their cloud management policies up as they went, with no central guidance forthcoming from the Department of Finance.
For example, the Department of Fisheries, which uses a cloud-based solution to monitor commercial marine vessels off the WA coast, never put together a business case to justify the implementation, nor did it specify any security benchmarks as part of its vendor contract.
The Department was contrite in its response to the findings, saying it was “fully aware of the shortfalls of the current contract and is seeking to resolve these issues”.
However it also noted a lack of guidance on the issue available to WA agencies.
“At the time the department secured this contract there was limited information available to assist agencies purchasing solutions of this nature."
Two agencies audited blamed the rushed dumping of WA’s shared services scheme for their ad-hoc approach to cloud contracting.
The Department of Sport and Recreation and the Metropolitan Development Authority both made the switch to Talent2 ERP software in the wake of the decommissioning of the central Oracle eBusiness suite in 2011.
“Due to the short time frame agencies had limited capacity to determine whether the cloud based arrangement best suited their needs,” the Auditor conceded, but pointed out that in their haste the agencies had allowed sensitive staff records to be stored in Melbourne even though their contracts with the provider stipulated they must stay within the state.
“Given the sensitivity of the personal information being stored on Talent2, all agencies should ensure they have a full understanding of the contract and service levels,” the report noted.
In other agencies, the Auditor discovered hopelessly inefficient business processes caused by poorly integrated IT systems.
At the WA Water Corporation, staff are forced to manually copy and paste alarm events out of its SCADA system into their SAP workflow system to generate maintenance work orders.
Inside Western Power, different sets of data are manually entered into a single spreadsheet every month to create management reports, creating huge risks of data entry errors.
Last week iTnews awarded Western Australia with the wooden spoon in our ranking (PDF) of the best and worst Australian state governments in terms of IT maturity.
Premier Colin Barnett was quizzed about the result and WA’s lack of a state-wide IT strategy in question time, a challenge largely deflected by the Premier who said technology did not fall into his science portfolio.
“We will develop our policy as we see fit,” said Barnett.
Shadow Commerce Minister Kate Doust said Premier Barnett should be using "every tool available to him to help ease the transition of the WA economy out of the ground and into the cloud.”