CenITex has formalised an IT change management policy document for which it was criticised by Victoria's auditor-general for using while in draft.
The IT shared services agency was singled out in a state audit of the IT controls that track changes to systems that departments use to lodge end-of-year financial reports.
CenITex, which runs operating environments and hardware for 10 of 11 portfolio departments in the state, was found to have "sound management practices in place to process changes to their IT systems".
It passed most of the auditor's tests, except that its IT change management policy document was found to be in draft at the time of review.
"This means that the documents have yet to be adopted as part of the CenITex governance structure," auditor-general Des Pearson noted.
However, CenITex CEO Michael Vanderheide told Pearson in a letter sent more than a fortnight before the audit report was published that the policy had been ratified by senior management back in August.
He said the document was only in draft because it had been reviewed and refreshed to coincide with its implementation in a BMC Remedy suite that was implemented the same month.
"As well, the documentation was in draft to enable CenITex the opportunity to assess the appropriate process model and leverage from better practice from departments being transitioned into CenITex," he said.
Vanderheide said change management documents on its insITe customer website were now being edited to "align with the final process and procedure guide for change management."
Department names under wraps
Auditor-general Pearson noted that IT controls underpinned the "production of reliable, accurate and timely information, including financial reports".
He found the operation of controls in the state to be "generally adequate" and made adverse findings only on how the controls were documented and/or approved by senior management.
Five unnamed portfolio departments did not meet audit standards in this regard. The state of Victoria has 11 portfolio departments.
"In their absence there is a heightened risk that changes will not be appropriately designed, tested and approved prior to implementation," Pearson said.
"Consequently, unauthorised application changes, and changes that do not meet user requirements could occur.
"This could lead to financial processing disruption and/or an inability of the entity to produce financial reporting".
Pearson noted that Shared Business Systems (SBS) - which sits under the Department of Primary Industries and manages an Oracle financial system for three portfolio departments could suffer such problems.
"Although SBS requires all changes to be approved by the SBS General Manager or SBS Governance Board, for a number of changes relevant approval could not be located," Pearson said.
"This increases the risk that unauthorised changes are made to the financial applications of the three portfolio departments SBS service."
The remaining eight portfolio departments managed their own finance applications.
One portfolio department was warned after it was found that development and testing processes were not sandboxed from its production environment.
"This increased the risk that changes that have not been validated and tested, are implemented into the operating environment," Pearson said.
The auditor-general produced a similar report about IT controls on financial systems last year, which found portfolio departments weren't monitoring the performance of outsourced IT providers.