Appendix: Agency Reviews

A principal responsibility of the Auditor-General relates to the review of the adequacy of controls associated with the operation of financial systems of government and its agencies. A large part of audit activity is therefore directed at reviewing the control environments within which government agencies' financial systems operate, including IT related operations.

Audit's review strategy for 1997-98 included specific reviews of:

Information Systems Project Management;
Agency System Security Arrangements.

The agencies in which the reviews have been undertaken are listed in the table below. The table includes the areas subject to Audit review.

Audit's observations follow in an abridged form with regard to the reviews that have been undertaken. More detailed commentary with regard to individual agencies, including agency responses, can be obtained by referring to PartB of this Report.

INFORMATION SYSTEMS PROJECT MANAGEMENT

Major IT projects of government agencies were reviewed to ascertain the adequacy of project management arrangements and progress of the projects. In respect of the Department for Environment, Heritage and Aboriginal Affairs, it should be noted that more detailed commentary and the Department response are provided in this Appendix, as the review and reporting process was not completed in time for inclusion in Part B of this Report.

Department for Environment, Heritage and Aboriginal Affairs (DEHAA)

In 1997-98 a follow up review was undertaken as a part of this Department's Information Technology Audit Program with respect to the DEHAA, Land Ownership and Tenure System (LOTS) redevelopment project.

The LOTS redevelopment project involves a two stage approach. Stage 1 involves converting the existing system onto an Îopen system' platform. A Cabinet submission of April 1996 indicated an approximate cost of $28 million over five years commencing 1995-96 for redevelopment of LOTS Stages 1 and 2. Approved funding for Stage 1 conversion and recurrent costs, totalled $9.75million to June 1998. Stage 2 involves re-developing the system over a number of years. The LOTS project provides essential infrastructure for the State's Spatial Information Industry Development project.

The review of LOTS Stage 1 re-development project addressed the following:

effectiveness and progress of the data conversion project;
management responsibilities between DEHAA and DAIS subsequent to the restructure of government agencies;
extent to which the 1997 Audit recommendations have been implemented.

Key Audit Findings

Since Audit's review in 1997, the LOTS redevelopment project has made significant progress in converting all of the programs and conducting unit tests.

The review has confirmed that the majority of the 1997 Audit review recommendations have been implemented.

Major quality issues with the program code supplied by the overseas sub-contractor contributed to a project cost overrun at June 1998 of $1.3 million and a further project slippage of four months.

The revised implementation date of 3 September 1998 was derived from an expected improvement in the trend of software quality and availability of resources within this timeframe. DEHAA recognised that achieving the deadline would be tight.

Further delays in the LOTS redevelopment project are having an impact on the planned development activities of related projects such as the Spatial Information Industry and Year2000 projects.

The investigation of a number of contractual issues relating to the performance of the Prime Contractor consumed a sizeable amount of project management and Crown Solicitor's Office effort during a critical time in the project. The resolution of these matters was under consideration at the time of preparation of this Report.

Audit is of the opinion that it would be prudent for DEHAA to consider modification of the project management methodology to include a contract management role in projects where critical components are contracted out to third party suppliers.

Audit was unable to assess the readiness of the project in preparation for implementation as part of this review because the expected deliverables were still being developed.

Audit considers it important that contingency plans be developed in the event that the LOTS redevelopment project fails to meet the 3 September 1998 deadline, or the Year 2000 effort turns out to be greater than anticipated.

Audit considers there are post-implementation issues associated with LOTS which arise from the departmental restructure of October 1997. These are the:

Funding of potential project budget over-run;
Infrastructure ownership and associated support structure;
Ownership of budget for ongoing maintenance and support.

Department Response

The Department's response of August 1998 to the matters raised by Audit is summarised as:

The Department is in the process of updating the Project Schedule in light of these pressures so that a new implementation date can be determined. This however could still be impacted by the number of defects that are found in the remaining testing phases.

A strategy is in place to ensure the Year 2000 work will not be impacted by the delayed implementation date. Should LOTS implementation be substantially delayed further then consideration will be given to an alternative strategy for the balance of the Year 2000 work.

Discussions are underway with the Crown Solicitor's Office to develop a strategy for the conduct of the contractual negotiations.

The comments re changes to the project management methodology to incorporate contract management are acknowledged.

A process of identifying all remaining tasks, determining which are essential before implementation, estimating the effort, allocating resources and scheduling these tasks is being undertaken as a matter of urgency.

Discussions have commenced between DEHAA and DAIS with a view to agreeing on how services are to be provided after project implementation. This issue is part of the larger issue of IT support for the Land Services Group which is being addressed in parallel with the LOTS Project, as a separate exercise.

Financial reports detailing the expenditure to date and forecast expenditure for the remainder of the project are provided to each monthly LOTS Re-development Steering Committee meeting.

Department of Education, Training and Employment (DETE)

In 1997-98 a review was undertaken as part of this Department's Information Technology Audit Program with respect to the DETE School Administration System (EDSAS).

The EDSAS System is a suite of computerised application systems to be implemented in all schools to cater for administrative and financial requirements. The initial Government submission in March1992, approved the identified cost of the EDSAS System project of $16.4 million.

The review focus principally encompassed the following:

whether the current methodology being used with regard to the implementation of EDSAS has been subject to adequate processes of planning, project management and Executive review;
whether roles and responsibilities have been clearly defined for all project team members;
whether Information Systems Quality Assurance is adequate to ensure timely and adequately tested systems for delivery to the users.

Key Audit Findings

Both the original and revised time-frames for the installation of EDSAS have been significantly exceeded. Audit has been advised that implementation is expected to be completed in late 1999;
Project costs will exceed the cost identified in 1991-92 of $16.4 million. Costs charged to the project total $18.4 million and additional costs will be incurred in relation to the implementation of the Finance Module into schools and the training of school based staff ($1 million budgeted in 1998-99), and implementation of the Timetable Module;
The project lacks an appointed project manager to coordinate all aspects of the project;
There is no dedicated EDSAS Project Team;
Actions taken by the Department to manage the testing phases of the current release, termed version 98.1, of the software have significantly reduced the risk of errors and problems in its release.

Courts Administration Authority (CAA)

Since 1988 the Courts Administration Authority (CAA) had developed and implemented a comprehensive fully integrated courts case management system (CCMS) which impacted upon almost all case management functions and processes of most court jurisdictions.

In September 1995 Cabinet approved CAA re-engineer it's CCMS in conjunction with a private sector IT service provider at an estimated cost of between $6.4 million and $10.4million depending on a number of options.

Following extensive negotiations it was decided that the CAA would pursue an option with an estimated total cost of $6.9 million, including a contribution of $943 000 from the private sector IT service provider through the provision of hardware, software and consultancy services.

An independent review was undertaken by external consultants contracted to CAA during 1997-98 that encompassed assessing organisational responsibilities; assessing the project management framework and responsibilities; and status of the project.

Key Consultancy Findings

The consultancy findings revealed:

a project reporting structure which did not report issues, concerns and delays to Executive Management and Council in a timely manner;
initial project estimates which were superficial and optimistic;
inappropriate strategies implemented to mitigate the major risks identified;
no clear segregation of duties between the role of Project Manager, Manager Information Services and Applications Development Manager;
no separate budget established specifically for the project to enable the monitoring of cost.

South Australian Health Commission (SAHC)

Projects currently in progress have been derived from the SAHC's information resource management strategy, namely Info2000, which was endorsed by Cabinet in August 1994.

Info2000 has been directed to the development of clinically oriented systems and the replacement of Health Unit systems with new 'common' systems, over a five year period commencing 1994-95, at an estimated overall cost of $111.1 million ($76.5 million capital and $34.6 million recurrent based on 1993-94 dollars). The strategy includes clinical systems, patient cost/management systems and resource management systems.

The Audit review of certain aspects of the Info2000 project encompassed the following:

the project strategy and its status;
the role and function of the SAHC Information Management Division in relation to the implementation of the strategy.

Key Audit Findings

The findings of the Audit review confirmed a major recommendation of an Internal Audit review that there needed to be a revision of the Info2000 strategy and, revealed that all projects within the Info2000 strategy exhibited an absence of regular and comprehensive reporting on implementation progress and the financial status of projects on a timely basis to management.

Review of some of the Cabinet Submissions seeking approval for the implementation of the Info2000 projects identified inadequacies in the presentation of financial information as to the likely costs and benefits of implementing the projects. Audit noted that Cabinet has yet to receive requested post-implementation reports.

The administrative arrangements and practices in relation to the management of contractors/consultants were found to be less than rigorous in a number of areas.

AGENCIES SYSTEM SECURITY ARRANGEMENTS

The following summarises Audit's observations in relation to the reviews of individual agency systems.

Services SA (of DAIS)

Audit's review of security within the former Services SA addressed security arrangements including, segregation of duties, user access and system change procedures, in relation to the Government Employee Rent Management System, Maintenance and Construction System, Fees and Resources Management System, and Boulevard-Property Management System.

Key Audit Findings

The review indicated that with respect to processes in place to control user access, there were several areas where management and system controls could be strengthened. These include improvement to:

system controls over passwords and information
processes for managing access to the system,
control over user activities.

Department of Education, Training and Employment (DETE)

School Administration System

In 1997-98 Audit reviewed the DETE School Administration System (EDSAS). The EDSAS System is a suite of computerised application systems to be implemented in all schools to cater for administrative and financial requirements. The review addressed whether the security and integrity aspects of the EDSAS system provides adequate controls to prevent or detect errors and/or irregularities in the operation of EDSAS. In particular, the review considered the adequacy of system access levels and audit trails.

Key Audit Findings

No security specifications have been developed for EDSAS in accordance with government required IT security standards.

Student Management System

Audit undertook a follow-up review of the DETE Student Management System (SMS).

The SMS is a computer based information system which was developed to provide consistent, accurate and timely information to Institutes of TAFE to assist in the management of classes, students and enrolments. Information from the SMS is also issued to students and employers. The review focus addressed progress of the predecessor Department for Employment, Training and Further Education in implementing the recommendations from the 1996-97 review of the SMS.

Key Audit Findings

Audit's review found the control environment has not improved since the initial review. In particular, deficiencies were detected in relation to:

the development and implementation across the organisation of security policies and procedures;
management of user system activity;
controls over system security.

A failure to satisfactorily resolve these issues increases the opportunities for unauthorised access to the SMS and the risk of unauthorised data being processed. In addition, there is the risk of prolonged and costly interruption to operations and/or loss of SMS facilities, programs and data.

South Australian Water Corporation (The Corporation)

The Corporation utilises a Customer Service Information System (CSIS) to record the rate revenue billed and receivable. CSIS is a highly automated system and is characterised by on-line processing, checking and authorisation of transactions. Accordingly, there is significant reliance on automated system controls.

Audit reviewed the security arrangements in relation to the CSIS including; segregation of duties and user access; aspects of the system functionality; and system change procedures.

Key Audit Findings

With respect to processes in place to control user access there were several areas where management and system controls could be strengthened. These include improvement to:

system controls over passwords and information.
processes for managing user identification and access to the system.
monitoring of privileged user activities.

Independent Gaming Corporation Ltd

The Independent Gaming Corporation Ltd (IGC) was established by the Hotel and Club Industry to provide a centralised computer monitoring facility for the management of gaming machines in South Australia. The system services over 500 individual gaming venues and in excess of 10 900 gaming machines with a turnover of $3.3billion per annum.

A follow-up Audit review was conducted of the Gaming Machine Monitoring System (GMMS) environment to establish the current status of Audit's previous recommendations.

Key Audit Findings

Audit's review findings generally indicated a satisfactory situation in respect to the principal control areas addressed, however, certain risk exposures were identified in relation to logical access security.

In respect to the important area of system access control, matters still outstanding at the time of the follow-up review were principally:

all users within GMMS have full access, enabling changes to master files and system parameters. This matter was outstanding due to the delayed delivery of a major upgrade to the GMMS;
a data editor is maintained on the production system which could be used by system administrators to edit any database or (security) log file;
GMMS does not provide a security access audit trail.

In addition, Audit noted that improvement was required in terms of a formal methodology to be adopted for management of Year 2000 compliance.

The Corporation advised appropriate action has been taken to address the matters raised and that the current GMMS will be replaced at the end of 1998, at which time it is intended to revisit all significant issues that impact on the efficient and effective administration of system operations.

TOP