Agencies must do more to strengthen IT controls, stamp out recurring lapses: Public accounts watchdog

Agencies must do more to strengthen IT controls, stamp out recurring lapses: Public accounts watchdog

Channel NewsAsia·2018-01-24 10:05

One of lapses found in the Auditor-General's report for the financial year of 2016/17 was the lapses in IT controls, including giving unnecessary rights access to staff. (Photo: AFP/Kirill KUDRYAVTSEV)

SINGAPORE: The Public Accounts Committee has urged several ministries and public agencies to address recurring lapses and strengthen system controls cited in the Auditor-General’s report for the financial year 2016/17. 

One area of weakness identified across several agencies is in IT controls. For instance, giving staff unnecessary access rights and not promptly removing user accounts when they are no longer required, said the committee on Tuesday (Jan 23). 

It also noted that financial controls are lax - payments were not certified, contracts not signed by authorised officers and payments to vendors were not made on time.

These issues occurred despite being highlighted by the Auditor-General in previous reports. 

"This indicated that more should be done to strengthen these areas," said the committee. It added that in many instances, the lapses occurred not because of a lack of processes, but due to agencies not complying with the controls put in place.


The committee highlighted weakness in IT controls at the Ministry of Home Affairs, Ministry of Manpower and the Ministry of Social and Family Development (MSF). 

For instance, there were 595 instances of "inappropriate access" by MSF's IT vendor staff to the computer systems supporting the Baby Bonus as well as Child Care and Infant Care subsidy schemes.

MSF stated that the IT vendor had used different accounts to "complete the assigned tasks quickly", but the committee pointed out that some of these accounts were privileged user accounts and added that this was a "breach of a basic rule on access control which should be taken seriously". 

It added that even if MSF outsourced the managed of its IT systems to external vendors, MSF should remain accountable and "exercise a reasonable level of oversight".

The committee noted, however, the measures MSF had put in place following the incident in order to prevent similar occurrences. These included strengthening the procedures for the administration of IT systems and ensuring an appropriate level of access.


In terms of development projects, there was also inadequate oversight in contract management, said the committee. 

For example, for the Ng Teng Fong General Hospital project, the Health Ministry (MOH) had incurred expenditure for site supervisory staff engaged by its agent, without verifying the need for and reasonableness of the expenditure and seeking the necessary approval. In fact, the ministry had already engaged a contractor to provide such services for the project.

MOH later explained that the agent had not notified the ministry on its intention to engage its own site supervisory staff. MOH was only made aware of this when the agent formally notified the contractor that the three site supervisory staff would be omitted from the contract. 

Additionally, MOH stated that its staff had mistakenly assumed that no additional approval by the ministry would be needed if the total cost for the site supervisory services, including those engaged by the agent, were kept within the budget. The officer involved in this was issued a warning, said MOH. 


Among the government agencies audited, there was also a laxity in financial controls that was discovered at the Ministry of Culture, Community and Youth (MCCY), Ministry of Health, Ministry of Home Affairs and Ministry of Trade and Industry. These include payments that were not certified and contracts not signed by the relevant authorities. 

One of the ministries the committee sought an explanation from was MCCY.

There were 1,396 sponsored devices that the Singapore Sports Council did not properly account for, although properly tracking and acknowledging the items is part of the procedures that have been set in place. 

MCCY said that the procedures were not followed because of the "fast-paced nature of events" that made it hard to keep track of the devices. However, the committee noted that adequate manpower planning and effective process had to be in place to handle such fast-paced events. 


In response to these shortcomings, the committee emphasised that more effective systems and processes must be set up in order to prevent control gaps. These measures should allow the agencies to respond to fast-changing project needs while not compromising on the level of oversight and accountability. 

"The committee would like to urge all agencies to consider redesigning their work processes and leveraging on technology to enhance the effectiveness of controls," it added, while acknowledging that some agencies have made the effort to address the control gaps. 

In light of the level of threat faced in today's environment, the committee said IT security is a "serious concern" and that the implications of such IT lapses are now "more significant".

The committee noted that the recently formed Smart Nation and Digital Government Group is taking actions at the governmental level to strengthen IT governance. 

In addition, the committee said more can be done to increase the level of competency of staff and accountability at the leader level so that awareness is raised on the importance of complying with rules and processes. 


Read full article on Channel NewsAsia

Singapore Government Technology Cybersecurity