Sloppy tax system controls threaten SA's revenue base

After 14 years and nearly $50 million in investment, South Australia’s auditor-general has warned the state’s new revenue system has left the government's Treasury vulnerable to fraud.

The RISTEC program has been a thorn in the side of the Department of Treasury and Finance for years, with delays, budget blowouts, and the ditching of whole project phases characterising the replacement of its 20-year-old tax database.

In a report delivered this week [pdf], auditor-general Andrew Richardson said the latest budget figures place the cost of the project at $48.8 million. The business case had originally been approved at $22.6 million but was later expanded to $45.5 million after the work was taken to market.

The price, however, does not include a stamp duty and sundry tax release which has been dropped from the project’s scope due to “system problems”, the auditor said.

Richardson said what has been implemented is further undermined by sloppy user controls that could leave the $3 billion Treasury collects in state taxes every year open to fraud, without the government necessarily being aware.

He complained that the agency has handed out excessive user access roles, paired with a lack of audit logging and clear reconciliation processes, that could incur a “significant financial impact to the state”.

“Weaknesses in audit logging and monitoring of the IT environment increase the risk that inappropriate or unauthorised activities could go undetected by management,” the audit report states.

For example, privileged role conflicts meant that some users could manually make changes to bank payments and run the subsequent reconciliations to verify them. They could also create supplier ID’s in the system and generate invoices from them without raising the alarm.

Members of the revenue accounting team can delete line items from the state’s bank statements without the changes being logged, the auditor said, creating a clear avenue for abuse fraud.

The audit team also discovered fully replicated and unencrypted taxpayer data in the revenue system’s test environment, which could be freely accessed by testing staff without any logging of what they have looked at and when.

And some modules of the SAP-based system - which was installed at Treasury by Fujitsu - haven't been properly patched since February 2008.

But the department is hamstrung from making changes to the system despite the auditor-general’s push for urgent action due to a “code freeze” designed to stablise the troubled system.

It has pledged to have improvements in place by December 2016 once the freeze is lifted.