SINGAPORE (July 22): The Auditor-General has found significant lapses in controls over access to personal and confidential data by IT vendors at the ministries of manpower and defence, as well as Singapore Customs. In its report, the Auditor-General pointed out that it was not the first time that public sector entities were found to have weak IT controls. “Similar issues were also found across different public sector entities audited by the AGO (Auditor-General’s office) over the last few years, indicating that IT controls remain a key area for improvement.”
At the Manpower Ministry, for instance, administrators of operating systems for the units that supported the processing of work permits and employment passes, who were vendor employees, had unrestricted access to the systems. They could also delete audit trails to remove any trace of unauthorised activities. The report noted that any unauthorised activity could compromise the confidentiality and integrity of the data in the systems.
At Mindef, the Auditor-General found that a number of IT vendor staff were granted unrestricted access to read personnel and payroll information in the ministry’s human resource system. The report also noted that since 2014, Mindef had not reviewed the logs of access made by the vendor’s staff to information types that required controlled access.
Also at Mindef, the AGO found that the ministry had overpaid flying allowances to 12 pilots, and underpaid two others. The wrong payments were a result of administrative lapses, or human resource officers wrongly interpreting eligibility criteria. The ministry says it either has recovered the excess payments or is in the process of making good on them.
Another major audit finding was lapses in procurement and contract management, including approval not obtained before works were carried out. The audit of the Ministry of National Development and URA, for instance, found irregularities in quotation documents submitted by contractors. Both MND and URA have since referred these cases to the police.
Lapses were also found at the Ministry of Culture, Community and Youth’s National Gallery Singapore project. The audit uncovered issues in the approval of contract variations amounting to $12.4 million. These lapses included approval having been sought or obtained only after the works had started or were completed. “Failure to properly assess and manage contract variations could result in MCCY not obtaining full value from the public funds spent,” the report noted.
All ministries and public sector agencies found to have lapses have said they will be taking immediate steps to rectify them.
The AGO’s role is to audit and report to the president and Parliament on the accounting and use of public resources. The AGO adopts a risk-based approach in determining the areas to be covered in an audit. Importantly, as the report noted, “as audits are conducted on a test check basis, they do not reveal all irregularities and weaknesses”.
However, the Auditor-General, Goh Soon Poh, also noted the Ministry of Finance’s efforts to work with public sector agencies to address the issues raised in the audits. “The measures include setting the right tone at the top, raising awareness and uplifting capabilities of public officers in areas such as project management and contract management, and strengthening the public sector internal audit community.”
At the same time, the Smart Nation and Digital Government Group, under the Finance Ministry, is strengthening IT governance across the public sector, and has since stepped up the number and types of internal IT audits.
In her report, Goh also said the public agencies take the audit observations seriously and are committed to rectifying problems, and the office will follow up with the public agencies “to ascertain that remedial actions are taken”.
