Victorian agencies failing to get off end-of-life systems

An "alarming" number of Victorian agencies are using out of support software and systems, while also poorly managing IT security and access controls, according to the state's auditor-general.

In its report on financial systems controls, released today, the auditor-general's office analysed agencies' responses to 462 recommendations for 65 key financial IT systems across 45 entities made over the past year. It also assessed the maturity of software licensing and identity and access management arrangements.

The office found that management at the audited entities continued to be slow to act on its findings, especially those it deemed high-risk.

It reported that 41 percent of its previous IT audit findings had not been addressed, many of which it said were rated high-risk.

The audit office also identified three new emerging themes at Victorian agencies: issues with IT security related to end-of-life software, access management, and the management of controls in outsourced IT environments.

The issues were also raised last year as part of the auditor's inaugural ICT controls audit.

IT security issues continue to account for the majority of the office's findings, the VAGO said.

More than half its audit findings over the past year related to limited progress towards upgrading from end-of-life systems.

"Alarmingly, each year VAGO is finding a large number of IT systems and software which are either no longer supported or fast approaching the end of support by the vendor," it stated in the report.

"This poses IT security and operational risks to the entities' IT environment, as well as unnecessary added costs."

It highlighted the use of Oracle Financials and Windows XP as two platforms that regularly popped up as end-of-life systems still in use. It said one agency signed a $2.37 million deal with Microsoft in April this year to continue supporting Windows XP for 12 more months.

Significant improvement was similarly needed to reduce the risk of inappropriate access to IT systems, it said.

"[The] large number of IT control deficiencies ... have the potential to impact the confidentiality, integrity and availability of public sector financial data and IT systems," the auditor stated in the report.

"Most of the IT audit findings identified were rated medium and high risk, with one rated as an extreme risk."

It cited three root causes for access management control weaknesses:

• poor understanding of access (where accounts for ex-staff are still live)
• the human factor and manual intervention (where human oversights are the main reason for access remaining on a system for ex-staff)
• inadequate periodic reviews of user access

While governance of outsourced IT arrangements had somewhat improved, the auditor said, there was still not enough ownership and visibility over the environments.

"Contracts with service providers should not limit the ability of the entity to review the outsource providers' controls environment," the auditor said.

"There was a perception among some public sector entities that in an outsourcing arrangement the risks associated with the control environment are also transferred, which is not the case."

Awareness of management's responsibilities in such arrangements was growing, the auditor said, but "worryingly, there remain pockets of limited awareness and acceptance, including in high-risk entities, of the risks and responsibilities associated with outsourced arrangements".

The VAGO said it would soon publish a better practice guide to improve IT control environments within government agencies.

To reduce the security issues that arise from running out of support systems, the auditor said the state Department of Premier and Cabinet should monitor the status of IT obsolescence risks within government and report on them.

Auditor urges Victoria to axe “manual”, “inefficient” Myki processes

In a second report, the audit office also lamented the continued existence of ten different paper-only application forms for the Myki transport ticketing system, some of which extend to 15 pages long.

In handing down its score sheet for Victorian government digital services (pdf), the audit team reserved much of its criticism for the maligned state public transport ticketing system.

Touted as an electronic step forward, the report highlighted “manual and inefficient” back-office processes that continue to hold Myki back.

The audit office specifically urged Public Transport Victoria to migrate applications for free travel passes and concession cards online.

Thousands of free and concession Myki holders in Victoria are currently required to fill out long paper forms, which are then manually entered into the database by PTV staff, in order to obtain or renew their pass.

A 2014 report commissioned into Myki satisfaction by PTV highlighted commuters’ main gripes about the system, including:

• Inability to properly view Myki card balances on a mobile,
• The absence of a Myki top-up smartphone app, and
• Delays to phone and online Myki top-ups taking effect.

It can take up to 24 hours for a Myki top-up to clear, while payments made at PTV hubs, train stations and on board buses are instantaneous.

The report criticised the “inefficient back-office system” it called “inconvenient for customers”, and suggested Myki needed to become much more mobile-friendly to meet the increasingly advanced expectations of commuters.

But it said it had no indication the PTV planned to improve the situation in the near future.

“Although PTV plans to continuously improve and innovate its digital product offerings such as evaluating options for seamless payment applications, it has yet to develop any channel strategies to promote topping up Myki card transactions via digital devices, particularly on smartphones and tablets as part of improving digital service delivery," the audit office said.