Vic auditor reveals targets in heightened tech scrutiny

Victorian auditor general John Doyle will continue his hard line approach to the government's handling of IT, today revealing a full pipeline of technology audits for the next few years.

Doyle has been a long-running critic of the state's approach to IT. His alarming 2011 report - which uncovered $1.4 billion in cost overruns stemming from only ten projects - led Doyle to last year announce a rolling review of agency technology over three years.

This so-called “digital dashboard” will provide a series of reports to parliament on the performance of the state’s existing IT projects.

The auditor has now unveiled several new planned IT audits to add to the tally.

He today revealed the digital dashboard will be accompanied by audits into ICT strategic planning, university student management systems, services delivered via mobile devices, and the security of infrastructure control systems for water and transport.

Victorian government agencies spend more than 4 percent of the state's average annual operating expenditure, or over $3 billion, on IT, Doyle found last year.

"Yet there continues to be significant weaknesses in the delivery and benefit realisation of these projects," Doyle wrote in his annual plan for 2015-16, released today [pdf].

'Such a significant investment requires a high level of scrutiny to ensure Victorians receive value for money."

The Victorian public sector does not have a good track record when it comes to ICT projects, Doyle wrote, highlighting findings from its first digital dashboard and ICT control reports.

Those reports found "persistent weaknesses in the planning and implementation of ICT projects" often resulted in substantial delays and cost overruns.

Doyle also repeated criticism of agencies' unwillingess to hand over details of their IT activities and spend.

"This lack of transparency makes it difficult to determine whether ICT investments have enhanced government services and whether public resources have been spent in an efficient, effective and economical way."

The auditor-general's newly-established information systems audit team will work on part two of the office's review on 'delivering services to citizens and consumers via devices of personal choice'. 

The first part of the report, tabled earlier this month, found Victoria was still yet to realise its whole-of-government vision for digital service delivery despite handing down the strategy two years ago. Doyle attributed the delay to continual changes in technology governance.

Part two of the audit will focus "in detail" on how agencies decide which services to deliver online.

Doyle will specifically target the Department of Premier and Cabinet, State Revenue Office, Department of Justice and Regulation, Human Services, Public Transport Victoria and VicRoads.

Over the next two years, the team will also study the effectiveness and efficiency of student management systems at Victoria's universities.

Doyle said it wasn't clear that the public had benefited from an average $25 million in investment per university into student management IT.

"There have also been some notable issues in terms of implementation and in some cases a failure to meet the expected business and educational outcomes," he said.

In the pipeline

For 2016-17, the ICT audit team will look into ICT strategic planning in the state - specifically whether public resources are being invested to meet growing consumer expectations and demands.

"Despite several billion dollars in annual investment, the public sector does not have a good track record for planning and implementing ICT initiatives," Doyle wrote.

"Strategic planning for public sector ICT projects is often characterised by reactive ‘internal’ view of service demand, and is being fundamentally challenged and sometimes overwhelmed by the emerging technology landscape."

The security of infrastructure control systems for water and transport will also be a focus for 2016-17. 

The ICT audit team will asess whether agencies are managing security risks to critical IT management and control systems controlling water and train infrastructure effectively.

Agencies - including the departments of Environment, Jobs, Transport, Economic Developement and Land, Water and Planning - will also be chased up to see whether recommendations from the office's 2010-11 audit on the same topic have been implemented.

Doyle also flagged data sharing, the usefulness of CCTV for public safety, TAFE ICT, security of hospital patient data, and disaster recovery as future focuses beyond 2018.