Services Australia has “largely” managed the risks to the country’s Centrelink IT system during its billion-dollar redevelopment over the last five years, the national auditor has found.
But the original objectives of the welfare payment infrastructure transformation program are now “at risk” due to delays to decommissioning the 30-year-old income security integrated system (ISIS).
In an audit [pdf] released late on Thursday, the Australian National Audit Office said risk management arrangements deployed to continue operating the Centrelink system during the WPIT program were “largely appropriate”.
The seven-year program is now in the final leg, with Services Australia focused on improving disability, carers and families payments and decommissioning the Model 204 database used to deliver 62 million transactions each day by July 2022.
The report found Services Australia had “established and maintained a risk management framework at the entity and group levels”, including at the CIO group-level, that applied to the entire ICT environment, including welfare payment systems.
It had also “managed” risks around payment correctness and system availability, with the agency meeting or surpassing its target of 95 percent and 98 percent respectively in its last reporting period.
Risk associated with changes to the current payment system during the redevelopment were similarly “appropriately managed”, with a “clear change management process” in place and “most changes … implement on time and within budget”.
“There were arrangements in place for emergency system changes and low rates of failed and abandoned system changes, although Services Australia did not appropriately monitor the use of workarounds over time,” the report said.
Cyber security, disaster recovery risks remain
However, the agency's cyber security risk management framework was found to be lacking, “as it did not cyber security risk assess or accredit all elements of the system” required under the Protective Security Policy Framework (PSPF).
The auditor said there was “no cyber security risk treatment plan - or system security plan - specific to each of the elements of the welfare payment system”, with strategic and operational assessments generic to all IT systems.
The CIO group risk management plan sought to mitigate this with controls and generic treatments, including “rolling process of system certification and accreditation under the PSPF”, to reduce residual cyber security risks.
But when the ANAO examined the accreditation status of the welfare payments system in June 2020, key elements, including ISIS and the SAP customer relationship management system linked to ISIS, were “not accredited or under accreditation”.
Another “14 elements of the welfare payments system” were found to be at various stages of accreditation, with the remaining systems expected to be accredited as part of a three-year system assurance program, which Services Australia finalised in November 2019.
“Despite ... assessing the generic operational cyber security risk context as ‘high’ in 2018, Services Australia did not cyber security risk assess, certify or accredit all elements of the welfare payment system as required by the PSPF,” the report said.
The auditor also noted that despite having an IT infrastructure disaster recovery plan, the agency’s preparedness was lacking due to the location of its two primary data centres in Canberra.
“Services Australia had critical backup data capabilities maintained in two data centres in close proximity to each other, which increased the vulnerability of the system to location-specific or provider-specific risks,” the audit said.
“This proximity did not provide appropriate geographic dispersion as required by the ISM [information security manual].”
Services Australia was also unable to “disaggregate all of the [ISIS] system element costs and did not monitor the cost of operating the current welfare system”, which it said cost $98 million a year in 2018-19.
The road ahead
Like its operation of the legacy welfare payments systems during redevelopment, the audit said Services Australia “preparations to transition to the future welfare payment system were largely appropriate”.
But it said that “delays to decommissioning a key element of the system (ISIS) have put at risk one of the original objectives of the WPIT program and delay and negate realisation of all the expected benefits of the welfare payment system redevelopment”.
Much of this is down to Services Australia altering its original plan - that ISIS would be replaced by a single solution - and creating two separate programs: the entitlements calculation engine program and payments delivery capability program (Payment Utility).
By the end of June 2020, only about 13 percent of ISIS was expected to have transitioned to the SAP CRM and Payment Utility, with a further 39 percent slated to transition by the end of June 2022.
This means “almost half of the decommissioning was not expected to be completed by the end of the program” despite this continuing to be the main goal of the welfare payment system redevelopment.
The report said that in November 2019 said the decommissioning risk became a “realised issue with a ‘very high impact rating’, with internal reports stating that “decommissioning ‘is not achievable within the funding envelope or timeframe’”.
“A process to ‘confirm if there is a credible decommissioning plan or whether gaps exist’ would not be undertaken until after new systems had been commissioned,” the audit said.
“Services Australia stated that this ‘occurred as a result of the underlying complexity of the ISIS replacement task and changes to the approach which could not have been anticipated at the outset’.
“This indicated that Services Australia would need to request more time and money from government in order to achieve one of the original objectives of the WPIT Programme.”
The audit also reveals that “critical elements of the future system are still in the design phase”, which has “timing implications for the delivery of the redeveloped … system”, and “appropriate arrangements to migrate data” have not been established.
Services Australia has agreed to implement all five recommendations aimed at improving its management of system operating risks and preparations for the future welfare payments system.